EPM System User Security Administration Guide 11.1.2.3
Transcript of EPM System User Security Administration Guide 11.1.2.3
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 1/96
Oracle® Enterprise Performance ManagementSystem
User Security Administration Guide
Release 11.1.2.3
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 2/96
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 3/96
Documentation Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 1. About Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
What Is Shared Services? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Launching Shared Services Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Overview of Shared Services Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Searching for Users, Groups, Roles, and Delegated Lists . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 2. EPM System Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Security Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
User Authentication Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Native Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
User Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Provisioning (R ole-based Authorization) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Global Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Predefined R oles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Aggregated Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Default EPM System Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
System Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Functional Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 3. Working with Application Groups and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Working with Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Creating Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Modifying Application Group Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Deleting Application Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Managing Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Moving Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Copying Provisioning Information Across Applications . . . . . . . . . . . . . . . . . . . . . . 20
Deleting Multiple Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Deleting an Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Provisioning Essbase Application Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Exploring Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Chapter 4. Delegated User Manag ement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
About Delegated User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Contents iii
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 4/96
Hierarchy of Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
System Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Functional Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Delegated Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Enabling Delegated User Management Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Creating Delegated Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Planning Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
User Accounts for Delegated Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Create a Delegation Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Provisioning Delegated Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Creating Delegated Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Modifying Delegated Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Deleting Delegated Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Viewing Delegated Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Chapter 5. Managing Native Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
About Native Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Default Native Directory Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Managing Native Directory Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Creating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Viewing and Modifying User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Deactivating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Activating Inactive User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Deleting User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Changing Native Directory User Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Managing Native Directory Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Nested Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Creating Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Modifying Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Deleting Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Managing Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Creating Aggregated Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Modifying Aggregated Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Deleting Aggregated Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Backing Up Native Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter 6. Managing Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
About Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Before Starting Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Overview of Provisioning Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
iv Contents
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 5/96
Provisioning Administrative Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Provisioning EPM System Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Provisioning Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Deprovisioning Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Auditing Securit y Activities and Lifecycle Management Artifacts . . . . . . . . . . . . . . . . . . . 49
Manually Purging Audit Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Selecting Objects for Application and Application Group-Level Audits . . . . . . . . . . . . . . . 50
Changing Purge Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Generating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Generating Prov isioning Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Generating Audit Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Generating Migration Status Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Importing and Exporting Native Directory Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Chapter 7. Managing Taskflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
About Taskflow s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Taskflow Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Stages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Prerequisites for Working with Taskflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Creating and Managing Taskflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Accessing the Manage Taskflow Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Creating Taskflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Editing Taskflow s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Viewing Taskflow Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Scheduling Taskflow s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Manually Running Taskflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Viewing Taskflow Status and Execution Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Taskflow Scripts Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Appendix A. EPM System Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Foundation Services Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Shared Services Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Performance Management Architect Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Calculation Manager Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Financial Management Manager Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Essbase Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Essbase Studio R oles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Reporting and Analysis Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Contents v
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 6/96
Financial Management Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Disclosure Management Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Financial Close Management Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Account Reconciliation Management Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Planning Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Profitability and Cost Management Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Standard Profitability and Cost Management Roles . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Detailed Profitability and Cost Management Roles . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Performance Scorecard Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Strategic Finance Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Provider Services Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Data Integration Management Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
FDM Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
FDMEE Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Integrated Operational Planning Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Appendix B. EPM System Component Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Appendix C. Accessing EPM System Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Accessing Shared Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Accessing EPM Workspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Accessing Administration Services Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
vi Contents
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 7/96
Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle SupportOracle customers have access to electronic support through My Oracle Support. For information, visit http://
www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?
ctx=acc&id=trs if you are hearing impaired.
7
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 8/96
8 Documentation Accessibility
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 9/96
About Shared Services
In This Chapter
What Is Shared Services?... ..... ...... ..... ..... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... .. 9
Launching Shared Services Console ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ..... ...... ... 9
Overview of Shared Services Console....................................................................10
Searching for Users, Groups, Roles, and Delegated Lists... ... ... ... ... ... ... ... ... ... ... ... ... ... ... .11
What Is Shared Services?Oracle Hyperion Shared Services, an Oracle Hyperion Foundation Services component, helps
establish a secure environment for Oracle Enterprise Performance Management System
products. Using Shared Services, users define and manage security for EPM System deployments.
Users interact with Shared Services through Oracle Hyperion Shared Services Console.
All EPM System components depend on Shared Services to define how users are authenticated
and how they are authorized to use product resources.
Launching Shared Services ConsoleYou use a menu option in Oracle Hyperion Enterprise Performance Management Workspace
to Access Shared Services Console.
ä To launch the Shared Services Console:
1 Go to:
http://web_server_name:port_number /workspace
In the URL, web_server_name indicates the name of the computer where the web server
used by Foundation Services is running, and port_number indicates the web server port;
for example, http://myWebserver:19000/workspace.
Note: If you are accessing EPM Workspace in secure environments, use https (not http)
as the protocol and the secure web server port number. For example, use a URL such
as: https://myserver:19043/workspace.
2 Click Launch Application.
What Is Shared Services? 9
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 10/96
Note: Pop-up blockers may prevent EPM Workspace from opening.
3 In Logon, enter your user name and password.
Initially, the only user who can access Shared Services Console is the EPM System
Administrator whose user name and password were specified during the deployment
process.
4 Click Log On.
5 Select Navigate, then Administer , and then Shared Services Console.
Overview of Shared Services ConsoleShared Services Console comprises a View pane, also known as the Application Management
pane, and task tabs. When you initially Access Shared Services Console, it displays the View pane
and a Browse tab.
The View pane is a navigation frame where you can choose objects (such as Native Directory
and application groups). Typically, details of the current selection in the View pane are displayed
on the Browse tab. Additional task tabs open as needed, depending on the task that you perform;
for example, a Report tab opens when you generate or view a report.
Depending on the current configuration, Shared Services Console lists your existing objects in
the View pane. You can expand these object listings to view details. For example, you may select
the User Directories node to view a list of configured user directories.
A shortcut menu, accessible by right-clicking an object, is associated with some objects in the
View pane.
Shortcut menus associated with objects in the View pane provide the quickest method to perform
operations on the objects. Options in shortcut menus change dynamically, depending on what
you select. These options are available also on a menu in the menu bar. Buttons representingenabled menu options are displayed on the toolbar.
Note: Because Native Directory is administered from Shared Services Console, some menu
options available in the shortcut menu for Native Directory are not available for other
user directories.
The following features are available through Shared Services Console:
l User directory configurations
l Single sign-on configurationl Native Directory management
l Role-based access control management of users
l Audit configuration and report management
l Access to Oracle Hyperion Enterprise Performance Management System Lifecycle
Management and product artifact exploration
10 About Shared Services
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 11/96
Searching for Users, Groups, Roles, and Delegated
ListsShared Services Console enables searching for users and groups from configured user directories,
and for application roles registered with Shared Services.
When searching for users, the search parameters that you can specify depend on the type of user
directory you select. For example, in Native Directory, you can search for all users, active users,
and inactive users.
Search boxes displayed on the Browse tab reflect the search context based on the selection in the
View pane.
ä To search for users, groups, roles, or delegated lists:
1 In the View pane, expand User Directories.
2 From the user directory that you want to search, select one of the following:
l Users
l Groups
l Roles
l Delegated List
Note: Roles and Delegated List are available only in Native Directory searches.
Delegated List is available only if Shared Services is in Delegated Administration
mode. See Chapter 4, “Delegated User Management” for detailed information.
Available search fields are displayed on the Browse tab.3 To search for users:
a. In User Property , select a user property to search.
The user properties that you can select depend on the type of the user directory you
selected. For example, you can search user name, first name, last name, description, and
email address. In Native Directory, you can search for all users, active users, or inactive
users, an option that is not available while searching for users in other user directories.
Except in searches using the wildcard (asterisk), records for which this property value
is not set are not searched.
Searchable user properties:
l LDAP-based user directories: User name, first name, last name, description, and
email address
l Database providers: User name
b. Optional: In User Filter , specify a filter for identifying specific users. Use an asterisk (*)
as the wildcard in pattern searches.
Searching for Users, Groups, Roles, and Delegated Lists 11
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 12/96
c. Optional: In In Group(s), specify groups in which the search is to be performed. Use an
asterisk (*) as the wildcard in pattern searches. To search multiple groups, use a
semicolon to separate group names.
d. Native Directory only: From View , select a search context ( All, Active, or Inactive).
e. In Page Size, select the number of records to display in a search result page.
f. Click Search.4 To search for groups:
a. In Group Property select a property to search.
Note: Shared Services considers Oracle and SQL Server roles as equivalent to groups in
user directories. Shared Services considers each role in a nested Oracle database
role as a separate group that can be provisioned individually. Shared Services does
not honor relationships between nested database roles.
b. Optional: In Group Filter , enter a filter to limit the search. Use an asterisk (*) as the
wildcard in pattern searches.
c. Click Search.
5 To search for roles:
Role search is supported only for Native Directory.
a. In Role Property , select the property to search. Records for which this property value is
not set in Native Directory are not searched except in a search using the wildcard
(asterisk).
b. Optional: In Role Filter , enter a filter to limit the search. Use an asterisk (*) as the wildcard
in pattern searches.
c. Click Search.6 To search for delegated lists:
a. In List Name, enter a search string. Use an asterisk (*) as the wildcard in pattern searches.
b. Click Search.
12 About Shared Services
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 13/96
2
EPM System Security Concepts
In This Chapter
Security Components......................................................................................13
User Authentication Components ...... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ....13
Provisioning (Role-based Authorization).................................................................14
Security ComponentsEPM System security comprises two complementary layers that control user access and
permissions:
l “User Authentication Components” on page 13
l “Provisioning (Role-based Authorization)” on page 14
User Authentication ComponentsEPM System users must be authenticated before their provisioning data is checked to determine
the EPM System components that they can access. By default, users enter a user name andpassword into a login screen to gain single sign-on (SSO) access to all EPM S ystem components
for which they are provisioned.
SSO is a session and user-authentication process that enables EPM System product users to enter
credentials only once, at the beginning of a session, to access multiple products. SSO eliminates
the need to log in separately to each product to which the user has access.
To enhance security, EPM System components may be protected using security agents that can
pass preauthenticated users to EPM System. Additionally, EPM System security can be enhanced
by using other mechanisms such as client certificate authentication, custom Java authentication,
and Kerberos. For detailed information on establishing a securing infrastructure for EPM
System, see the Oracle Enterprise Performance Management System Security ConfigurationGuide.
EPM System components check authenticated user credentials against configured user
directories. User authentication, along with component-specific provisioning, grants the user
access to EPM System components. Provisioning Managers grant users access to artifacts
belonging to EPM System components.
The following sections describe the components that support SSO:
Security Components 13
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 14/96
l “Native Directory” on page 14
l “User Directories” on page 14
Native Directory
Native Directory refers to the relational database that Shared Services uses to support
provisioning and to store seed data such as default user account, and additional users and groups
that you create.
Native Directory functions:
l Maintains and manages the native user accounts
l Maintains and manages the native group accounts
l Central storage for all EPM System provisioning information; it stores the relationships
among groups, roles, and applications
An administrator account, with the default name admin, is created during the deployment
process to create a System Administrator who manages EPM System security. This is the mostpowerful EPM System account. The user name and password of this account is set during
Foundation Services deployment.
Directory Managers access and manage Native Directory using the Shared Services Console. See
Chapter 5, “Managing Native Directory”.
User Directories
User directories refer to any corporate user and identity management system that is compatible
with EPM System components.
EPM System components are supported on several user directories, including LDAP-based user
directories, and Relational databases. User directories other than Native Directory are referred
to as external user directories throughout this document. Only Administrators are permitted to
manage external user directories.
Provisioning (Role-based Authorization)EPM System security determines user access to applications using the concept of roles. Roles are
permissions that determine user access to functions within EPM System components. Some
EPM System components enforce object-level ACLs to further refine user access to their artifactssuch as reports and members.
Each EPM System component provides several default roles tailored to various business needs.
Applications belonging to an EPM System component inherits these roles. Predefined roles from
the applications registered with Shared Services are displayed in the Shared Services Console.
14 EPM System Security Concepts
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 15/96
To facilitate provisioning, you may create custom Native Directory roles that aggregate the
default roles to suit specific requirements. The process of granting roles and object ACLs
belonging to EPM System applications to users and groups is called provisioning .
Native Directory and configured user directories are sources for user and group information for
provisioning.
After a user is authenticated, the EPM System component that the user attempted to access
determines the user's groups. It then retrieves the user's provisioning data to determine the EPMSystem application roles that are applicable to the user. Additional data or object access security
may be handled through finer permissions defined within the application.
Role-based provisioning of EPM System products uses these concepts.
Roles
A role is a construct that defines the authorizations to use an EPM System component feature.
It is different from an access control list, which generally specifies access permissions for a specific
resource or object of the application.
Access to EPM System application resources is restricted; users can access them only after a role
that provides access is assigned to the user or to the group to which the user belongs.
Access restrictions based on roles enable functional administrators to control and manage
application access. See Appendix A, “EPM System Roles.”
Global Roles
Global roles, Shared Services roles that span multiple components, enable users to perform
certain tasks across products. These roles, managed by Shared Services, cannot be deleted. See
“Foundation Services Roles” on page 63 for a list of global roles.
Predefined Roles
Predefined roles are built-in roles in EPM System components; you cannot delete them. Each
application instance of an EPM System component inherits all the predefined product roles.
These roles, for each application, are registered with Shared Services when you create and register
the application. See Appendix A, “EPM System Roles”, for a list of predefined roles.
Aggregated Roles
Aggregated roles, also known as custom roles, aggregate multiple predefined application roles.An aggregated role can contain other aggregated roles. For example, a Provisioning Manager of
a Oracle Hyperion Planning application can create an aggregated role that combines the Planner
and View User roles of that application. Aggregating roles can simplify the administration of
applications that have several granular roles. Global Shared Services roles can be included in
aggregated roles. You cannot create an aggregated role that spans applications or EPM System
components.
Provisioning (Role-based Authorization) 15
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 16/96
Users
User directories––Native Directory and corporate user directories––are the source for users who
can access EPM System components. The authentication and the authorization processes utilize
user information.
You can create and manage Native Directory users only from Shared Services Console. Users
from all configured user directories are visible from Shared Services Console. Although userscan be individually provisioned to grant access rights on the EPM System applications registered
with Shared Services, Oracle does not recommend provisioning individual users.
Default EPM System Administrator
An administrator account, with the default name admin, is created in Native Directory during
the deployment process. This is the most powerful EPM System account and should be used
only to set up a System Administrator, who is the Information Technology expert tasked with
managing EPM System security and environment.
System Administrator
The System Administrator, typically a corporate Information Technology expert, is responsible
for setting up and maintaining a secure environment for EPM System.
Functional Administrators
The Functional Administrator is a corporate user who is an EPM System expert. Typically, this
user is defined in the corporate directory that is configured in Shared Services as an external user
directory.
The System Administrator creates EPM System Functional Administrators who perform EPMSystem administration tasks such as creating other functional administrators, setting up
delegated administration, and creating and provisioning applications and artifacts.
Groups
Groups are containers for users or other groups. You can create and manage Native Directory
groups from Shared Services Console. Groups and users from configured user directories can
be assigned as members of Native Directory groups. You can provision these groups to grant
permissions for EPM System products registered with Shared Services.
16 EPM System Security Concepts
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 17/96
3
Working with Application
Groups and Applications
In This Chapter
Overview .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Working with Application Groups... ..... ...... ..... ...... ..... ..... ...... ..... ...... ..... ...... ...... ....17
Managing Applications ...... ..... ...... ..... ..... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... .19
Exploring Applications.....................................................................................22
Overview Application groups and applications are important EPM System concepts. An application is a
reference to one instance of an EPM System component that is registered with Shared Services.
Provisioning activities are performed against an application. Generally, applications are grouped
into application groups.
Working with Application GroupsGenerally, EPM System places a deployed application instance in an existing application group
of your choice or into the default application group.An application group is a container for EPM System applications. For example, an application
group may contain a Planning application and Oracle Hyperion Reporting and Analysis
applications. While an application can belong to only one application group, an application
group can contain multiple applications.
Generally, EPM System components place their applications into their own application groups.
If an EPM System component does not create its own application group, the user registering the
application can select an application group; for example, Default Application Group, to organize
the applications. Applications that are registered with Shared Services but are not yet added to
an application group are listed under the Default Application Group node in the View pane.
Provisioning Managers can provision users and groups with roles from applications listed in theDefault Application Group node.
Topics detailing application group management tasks:
l “Creating Application Groups” on page 18
l “Modifying Application Group Properties” on page 18
l “Deleting Application Groups” on page 19
Overview 17
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 18/96
Note: You must be a Functional Administrator or LCM Administrator to create and manage
application groups. While a Functional Administrator can work with all registered
applications. A Project Manager can view only with the applications for which that person
is the Provisioning Manager.
Creating Application GroupsDuring application group creation, you can also assign applications to the new application group.
ä To create an application group:
1 Access Shared Services Console as a Functional Administrator.
See “Launching Shared Services Console” on page 9.
2 In the View pane, right-click Application Groups, and then select New Application Group.
3 In Name, enter a unique application group name, and then, in Description, enter an optional description.
Application group names are case-sensitive. For example, Test_1, TEst_1, and test_1
are unique group names.
4 To assign applications to this application group:
a. From List Applications in Application Group, select an application group that contains
the application that you want to assign.
b. Click Update List. The Available Applications list displays the applications that you can
assign to the application group.
c. From Available Applications, select the applications to assign to the application group,
and then click .
d. To remove an assigned application, from Assigned Applications, select the application
to remove, and then click .
5 Click Finish.
6 Click Create Another to create another application group, or click OK to close the status screen.
Modifying Application Group Properties
You can modify all properties and settings of an application group, including application
assignments.
Note: Functional Administrators can also add applications to application groups by moving
them from another application group. See “Moving Applications” on page 20.
ä To modify an application group:
1 Access Shared Services Console as a Functional Administrator.
See “Launching Shared Services Console” on page 9.
18 Working with Application Groups and Applications
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 19/96
2 In the View pane, right-click an application group, and then select Open.
3 Modify the application group properties as needed. See step 4 on page 18 for information on assigning
or removing applications.
Note: Applications that you remove from a group are automatically reassigned to the
Default Application Group.
4 Click Save.
Deleting Application Groups
Deleting an application group removes the association of applications with the application group
and deletes the application group but does not remove provisioning assignments from
applications.
You cannot delete the following application groups:
l Default Application Group
l Foundation
l File System
ä To delete an application group:
1 Access Shared Services Console as Functional Administrator.
See “Launching Shared Services Console” on page 9.
2 In the View pane, right-click the application group, and then select Delete.
Note: Applications that are assigned to the application group are automatically reassigned
to the Default Application Group.
3 Click Yes.
4 Click OK .
Managing ApplicationsShared Services tracks registered EPM System applications.
Generally, application instances are registered with Shared Services during the deployment
process.Registration of some applications creates application groups and assigns applications to them.
If registration does not create an application group, then the application is listed under Default
Application Group. Provisioning Managers can provision these applications. When a Functional
Administrator moves applications from Default Application Group to another application
group, Shared Services retains the provisioning information.
Topics addressing application management tasks:
Managing Applications 19
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 20/96
l “Moving Applications” on page 20
l “Copying Provisioning Information Across Applications” on page 20
l “Deleting an Application” on page 21
l “Provisioning Essbase Application Artifacts” on page 21
Moving Applications
Functional Administrators can move applications from one application group to another
without losing provisioning data. Moving an application from an application group removes
the association between the application and the application group.
Note: Shared Services and Deployment Metadata application cannot be moved from the
Foundation application group.
ä To move an application:
1 Access Shared Services Console as Functional Administrator.
See “Launching Shared Services Console” on page 9.
2 Expand the node of the application group that contains the application that you want to move.
3 Right-click the application and select Move To.
4 On Move To, select the application group to which you want to move the application.
5 Click Save.
Copying Provisioning Information Across ApplicationsFunctional Administrators can copy provisioning information across EPM System application
instances; for example, from one Planning application to another. When Provisioning Managers
copy provisioning information, all user, group, and role information is copied to the target
application. Artifact provisioning information cannot be copied across applications.
ä To copy provisioning information across applications:
1 Access Shared Services Console as Provisioning Manager or Functional Administrator.
See “Launching Shared Services Console” on page 9.
2 In the View pane, expand the node of the application group that contains the application from whichyou want to copy provisioning information.
3 Right-click the application from which you want to copy provisioning information, and then select Copy
Provisioning .
Copy Provisioning opens. This tab lists the target application to which you can copy
provisioning information.
4 Select the destination application.
20 Working with Application Groups and Applications
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 21/96
5 Click Save.
Deleting Multiple Applications
When Functional Administrators delete applications, the provisioning information also is
deleted.
ä To delete applications:
1 Access Shared Services Console as Functional Administrator.
See “Launching Shared Services Console” on page 9.
2 In the View pane, right-click Application Groups and then select Delete.
3 Select the applications to delete. To delete all applications within an application group, select the
application group.
Note: You cannot delete application groups from this screen. See “Deleting Application
Groups” on page 19.
4 Click Delete.
5 Click OK .
Deleting an Application
Functional Administrators can delete applications from application groups. When you delete
an application from an application group, all provisioning information for that application is
removed.
ä To delete an application:
1 Access Shared Services Console as Functional Administrator.
See “Launching Shared Services Console” on page 9.
2 In then View pane, expand the node of the application group that contains the application that you want
to delete.
3 Right-click the application, and then select Delete.
4 Click OK .
Provisioning Essbase Application Artifacts
EPM System enforces application- and artifact-level provisioning to ensure application and data
security. Access to each EPM System application is restricted by provisioning users and groups
with application roles. Typically, a Provisioning Manager uses the Shared Services Console to
provision users and groups to EPM System applications.
Managing Applications 21
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 22/96
Some EPM System applications create their own artifacts; for example, reports and calculation
scripts that belong only to the application. In most cases, access to application artifacts can be
controlled by provisioning application users and groups. For example, a user creates filters and
calculation scripts for an Oracle Essbase application using the Oracle Essbase Administration
Services Console or MaxL. A Provisioning Manager for the Essbase application can use the
Shared Services Console to provision these filters and calculation scripts.
Provisioning Managers can provision groups with roles from the applications for which they aredefined as provisioning manager. Generally, the owner of the application (the user of who created
and registered the application with Foundation Services) is automatically granted the
Provisioning Manger role of the application.
Before starting this procedure, ensure that the required servers and applications are running.
ä To assign application-specific access permissions:
1 Access Shared Services Console as Provisioning Manager.
See “Launching Shared Services Console” on page 9.
2 In the View pane, expand the application group that contains the application for which you want toassign access permissions.
3 Right-click the application and select Assign Access Control. This option is available only for
applications for which access permissions can be set.
Note: If the application is not running, an error message is displayed when you select the
application. Start the application and refresh the View pane by clicking View , and then
Refresh to access the application.
4 Assign access permissions. See Appendix A, “EPM System Roles” for a list of product roles.
Exploring ApplicationsThe Lifecycle Management interface in Shared Services Console enables you to view, search,
export, and import application artifacts. The artifacts are sorted into categories so that they are
exposed in an organized manner. See the Oracle Enterprise Performance Management System
Lifecycle Management Guide.
22 Working with Application Groups and Applications
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 23/96
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 24/96
The Functional Administrator can create other Functional Administrators with more limited
access within EPM System. For example, to administer Planning application PlanApp1, the
Functional Administrator may provision a user with the LCM Administrator role of Foundation
Services and the Administrator role of the Planning application PlanApp1.
Delegated AdministratorsDelegated Administrators have limited administrator-level access to EPM System components.
They can access only the users and groups for which they are granted Administrator access,
dividing user and group management tasks across multiple administrators.
The scope of actions that Delegated Administrators can perform on EPM System components
is controlled by the access rights that the Functional Administrator granted them through
provisioning. For example, assume that a Delegated Administrator is granted the Directory
Manager global role in Shared Services, enabling the user to create users and groups in Native
Directory. Without additional roles, this Delegated Administrator cannot view a list of users and
groups that other administrators created. Further, Delegated Administrators require additional
roles to view the users that they create.
Enabling Delegated User Management ModeThe default Shared Services deployment does not support delegated administration. You must
enable Delegated User Management mode for Shared Services before you can create Delegated
Administrators. Additional screens and menu options become available after you switch to
Delegated User Management mode.
In Delegated User Management mode, the scope of the roles assigned to Delegated
Administrators is restricted to the users and groups in their delegated list. Reverting to the default
mode removes the restrictions and restores the original scope of the role. For example, assumethat user del_admin1, who is assigned the Essbase Provisioning Manager role, is the delegated
administrator for Esb_group1 and Esb_group2. Reverting to the default mode makes
del_admin1 an Essbase Provisioning Manager for all users and groups.
ä To enable Delegated User Management mode:
1 Access Shared Services Console as the Functional Administrator. See “Launching Shared Services
Console” on page 9.
2 From Administration, select Configure User Directories.
3 Select Security Options, and then Show Advanced Options.
4 Select Enable Delegated User Management Mode.
5 Click OK .
6 Click OK .
7 Restart Foundation Services and other EPM System components.
24 Delegated User Management
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 25/96
Creating Delegated Administratorsl “Planning Steps” on page 25
l “Provisioning Delegated Administrators” on page 25
l “Creating Delegated Lists” on page 26
l “Viewing Delegated Reports” on page 29
Planning Steps
l “User Accounts for Delegated Administrators” on page 25
l “Create a Delegation Plan” on page 25
User Accounts for Delegated Administrators
The Functional Administrator creates Delegated Administrators from user accounts in the user
directories configured in Shared Services. Unlike in provisioning, delegated administrationcapabilities cannot be assigned to groups. Before starting the process of delegating Shared
Services administration, verify that Delegated Administrators are created as users in a configured
user directory.
Create a Delegation Plan
The delegation plan should identify the Delegated Administrators needed to effectively
administer EPM System components and the tasks that they should be allowed to perform. The
plan should identify these users, groups, and roles:
l Users and groups that each Delegated Administrator should manage. This list can be used
while creating Delegated Lists. See “Creating Delegated Lists” on page 26.
l Shared Services and EPM System product roles that each Delegated Administrator should
be granted
Provisioning Delegated Administrators
The Functional Administrator provisions Delegated Administrators by granting them roles
based on the delegation plan, which defines the activities they should perform. See “Foundation
Services Roles” on page 63.
Delegated Administrators can be granted roles from EPM S ystem products; for example,Provisioning Manager from Planning, to allow them to perform administrative tasks in EPM
System products.
Creating Delegated Administrators 25
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 26/96
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 27/96
User Members is displayed.
a. In Directory , select the user directory from which users are to be displayed. If you are a
Delegated Administrator, the search lists only the users assigned to you.
b. Select a user attribute that you want to search in the drop-down list, and enter a search
filter.
c. Click Search.d. From Available Users, select users.
e. Click .
The selected users are listed in Assigned Users.
f. Optional: From Assigned Users, select a user, and then click to unassign a user.
Note: The Delegated Administrator of the list is automatically added as a user.
6 Optional: Click Next to assign Delegated Administrators for this list.
Managed By is displayed.
a. In Directory , select the user directory from which users are to be displayed.
b. Select a user attribute that you want to search in the drop-down list, and enter a search
filter.
c. Click Search.
d. From Available Users, select users.
e. Click .
The selected users are listed in Assigned Users.
f. Optional: From Assigned Users, select a user, and then click to unassign a user.
Note: The user who creates the list is automatically added as a Delegated Administrator of
the list.
7 Click Finish.
8 Click Create Another to define another list, or OK to close the Create Delegated List screen.
Modifying Delegated Lists
Delegated Administrators can modify only the lists assigned to them. Functional Administratorscan modify all delegated lists.
ä To modify delegated lists:
1 Access Shared Services Console. See “Launching Shared Services Console” on page 9.
2 Select Delegated Lists from the Native Directory node in the View pane.
Creating Delegated Administrators 27
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 28/96
3 Search for the delegated list to modify.
See “Searching for Users, Groups, Roles, and Delegated Lists” on page 11.
Delegated lists that meet the search criterion are listed on the Browse tab.
4 Right-click the delegated list, and then select Properties.
5 Optional: On General, modify the list name and description.
6 Optional: Click Group Members to modify group assignments.
a. In Directory , select the user directory from which groups are to be displayed. If you are
a Delegated Administrator, only groups assigned to you can be searched.
b. Select a group attribute (group name or description) that you want to search in the drop-
down list, and enter a search filter.
c. Click Search.
d. From Available Groups, select groups.
e. Click .
Note: Shared Services considers Oracle and SQL Server database roles the equivalents
of groups in user directories.
Oracle database roles can be hierarchical.
SQL Server database roles cannot be nested.
f. Optional: From Assigned Groups, select a group, and then click to unassign a group.
7 Optional: Click User Members to modify user assignments.
a. In Directory , select the user directory from which users are to be displayed. If you are a
Delegated Administrator, the search lists only the users assigned to you.
b. Select a user attribute that you want to search in the drop-down list, and enter a search
filter.
c. Click Search.
d. From Available Users, select users.
e. Click .
The selected users are listed in Assigned Users.
f. Optional: From Assigned Users, select a user, and then click to unassign a user.
8 Optional: Click Managed By to modify Delegated Administrator assignment.
a. In Directory , select the user directory from which users are to be displayed.
b. Select a user attribute that you want to search in the drop-down list, and enter a search
filter.
c. Click Search.
d. From Available Users, select users.
28 Delegated User Management
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 29/96
e. Click .
The selected users are listed in Assigned Users.
f. Optional: From Assigned Users, select a user, and then click to unassign a user.
9 Click OK .
10 Click OK .
Deleting Delegated Lists
ä To delete delegated lists:
1 Access Shared Services Console. See “Launching Shared Services Console” on page 9.
2 Select Delegated Lists from the Native Directory node in the View pane.
3 Search for the delegated list to modify.
See “Searching for Users, Groups, Roles, and Delegated Lists” on page 11.
Delegated lists that meet the search criterion are listed on the Browse tab.
4 Right-click the delegated list, and then select Delete.
5 Click Yes.
6 Click OK .
Viewing Delegated Reports
Delegated reports contain information about the users and groups assigned to the selected
delegated lists and the delegated administrators to whom the list is assigned.Functional Administrators can generate and view delegated reports on all delegated lists.
Delegated Administrators can generate reports on the delegated lists that they created and on
the delegated lists assigned to them.
ä To view delegated reports:
1 Access Shared Services Console. See “Launching Shared Services Console” on page 9.
2 In Native Directory node in the View pane, right-click Delegated List, and then select View Delegated
Report.
3 In Delegated List Name, enter the name of the list for which the report is to be generated. Use * as
wildcard for pattern searches.
4 In Managed By , enter the user ID of the Delegated Administrator whose assignments in the specified
list are to be reported. Use * as the wildcard for pattern searches.
5 Click Create.
6 Click OK to close the report or Print Preview to preview the report.
If you preview the report:
Creating Delegated Administrators 29
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 30/96
a. Click Print to print the report.
b. Click Close to close the View Report window.
30 Delegated User Management
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 31/96
5
Managing Native Directory
In This Chapter
About Native Directory.....................................................................................31
Default Native Directory Users and Groups..............................................................31
Managing Native Directory Users ...... ..... ..... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... .32
Managing Native Directory Groups. ..... ...... ..... ...... ..... ..... ...... ..... ...... ..... ...... ...... ....36
Managing Roles............................................................................................41
Backing Up Native Directory ..... ...... ..... ..... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... .43
About Native Directory Native Directory is a relational database that stores user provisioning data and product
registration data.
Shared Services Console is the administrative interface for Native Directory. Shared Services
Console displays a list of EPM System users and groups derived from configured user directory,
including Native Directory. These users and groups are used in provisioning.
Default Native Directory Users and GroupsNative Directory, by default, contains the default administrator account (suggested default user
name is admin). This account is used to create a System Administrator who is responsible for
maintaining EPM System security and system environment.
The System Administrator creates Functional Administrators who perform all Native Directory
and Shared Services administration tasks.
All EPM System users, whether defined in Native Directory or in an external user directory,
belong to the WORLD group, the only default Native Directory group. WORLD is a logical
group. All Shared Services users inherit the roles assigned to this group. A user gets the sum of
all permissions assigned directly to that user as well as those assigned to the user's groups
(including the WORLD group).
If Shared Services is deployed in delegated mode, the WORLD group contains groups as well as
users. If the delegated list of a user contains the WORLD group, then the user can retrieve all
users and groups during searches.
About Native Directory 31
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 32/96
Managing Native Directory UsersFunctional Administrators or Directory Managers can perform some of the following tasks to
manage Native Directory user accounts:
l “Creating Users” on page 32
l “Viewing and Modifying User Accounts” on page 33
l “Deactivating User Accounts” on page 34
l “Deleting User Accounts ” on page 35
l “Provisioning Groups” on page 47
l “Deprovisioning Groups” on page 48
l “Generating Provisioning Reports” on page 51
Note: Users in external user directories cannot be managed from Shared Services Console.
Creating Users
ä To create users:
1 Access Shared Services Console as a Functional Administrator or Directory Manager. See “Launching
Shared Services Console” on page 9.
2 In the Native Directory node in the View pane, right-click Users, and then select New User .
3 In Create User , enter the required information.
Table 1 Create User Screen
Label Description
User Name A unique user identifier (maximum 256 characters) that follows the naming conventions of your organization
(for example, first_name initial followed by the last name, as in jyoung )
User names can contain any number or combination of characters.
You cannot create identical user names, including names that are differentiated only by number of spaces. For
example, you cannot create user names user 1 (with one space between user and 1) and user 1 (with
two spaces between user and 1).
Password Passwords are case-sensitive and can contain any combination of characters.
Confirm Password Re-enter password.
First Name User's first name (optional)
Last Name User's last name (optional)
Description User's description (optional)
Email Address User's email address (optional). The email server domain extension; for example, .com, .org, and .gov, cannot
contain more than four characters.
32 Managing Native Directory
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 33/96
4 Optional: To assign the user to Native Directory groups, click Next.
a. Using the fields above the Available Groups list, search for groups.
i. From the drop-down list, selectGroup Name to search based on group names. Select
Description to search based on group descriptions.
ii. Enter the criterion for retrieving groups. Use * (asterisk) as the wildcard to retrieve
all available groups.iii. Click Search.
Groups that match the search criterion are listed under Available Groups.
b. From Available Groups, select groups.
c. Click .
The selected groups are listed under Assigned Groups list.
d. Optional: To retrieve and assign additional groups, repeat step 4.a.
Using the fields above the Assigned Groups list, you can search assigned groups to identify
the groups that you want to remove. For instructions on searching within assignedgroups, see step 4.a.
To remove assigned groups, from Assigned Groups, select the groups to remove, and
then click .
5 Click Finish.
6 Click Create Another to create another user or Finish to close Create User .
Viewing and Modifying User Accounts
Functional Administrators and Directory Managers can view and modify any property of NativeDirectory user accounts, including the user name of the System Administrator account that you
created while deploying EPM System.
Native Directory users who are not administrators can view their information but cannot modify
it.
ä To view and modify user information:
1 Access Shared Services Console as a Functional Administrator or Directory Manager. See “Launching
Shared Services Console” on page 9.
2 From the Native Directory node in the View pane, select Users.
3 Search for the user account. See “Searching for Users, Groups, Roles, and Delegated Lists” on page
11.
4 Right-click the user account to modify and select Properties.
Note: User Properties displays the Delegated List if Shared Services is deployed in Delegated
Administration mode.
Managing Native Directory Users 33
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 34/96
5 On General, modify user properties.
See Table 1 for descriptions of the properties that you can modify.
6 Optional: Modify the user's associations with Native Directory groups.
a. Click Member Of .
b. Using the fields above Available Groups, search for groups.
i. From the drop-down list, select Group Name to search based on group names. Select
Description to search based on group descriptions.
ii. Enter the criterion for retrieving groups. Use * (asterisk) as the wildcard to retrieve
all available groups.
iii. Click Search.
Groups that match the search criterion are listed under Available Groups.
c. From Available Groups, select groups.
d. Click .
The selected groups are listed under Assigned Groups.
e. Optional: To retrieve and assign additional groups, repeat step 6.b.
Using the fields above the Assigned Groups list, you can search assigned groups to identify
the groups that you want to remove. For instructions on searching within assigned
groups, see step 6.b.
To remove assigned groups, from Assigned Groups, select the groups to remove, and
then click .
7 Optional: Click Delegated List to view the user's delegated list assignment.
8 Click Finish.
Deactivating User Accounts
You can deactivate Native Directory user accounts that should not have access to EPM System
applications. Account deactivations are, typically, temporary suspensions that the Shared
Services administrator intends to reactivate.
l Inactive user accounts cannot be used to log on to EPM System applications, including
Shared Services Console.
l Group associations of inactive accounts are maintained and remain visible to Functional
Administrators.
l Role associations of inactive accounts are maintained.
l Inactive user accounts are not displayed on the product-specific access-control screens.
l Inactive user accounts are not deleted from Native Directory.
34 Managing Native Directory
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 35/96
Note: A user who is provisioned with the LCM Administrator role can deactivate other
administrators, including the System Administrator.
ä To deactivate user accounts:
1 Access Shared Services Console as a Functional Administrator or Directory Manager. See “Launching
Shared Services Console” on page 9.
2 Search for Native Directory users to deactivate. See “Searching for Users, Groups, Roles, and Delegated
Lists” on page 11.
3 Right-click the user account, and then select Deactivate.
4 Click OK .
Activating Inactive User Accounts
Activating inactive Native Directory user accounts reinstates associations that existed before the
accounts were deactivated. If a group of which the inactive user account was a member was
deleted, the roles granted through the deleted group are not reinstated.
Note: Deactivated System Administrator and Functional Administrator accounts can be
activated only by another administrator.
ä To activate deactivated user accounts:
1 Access Shared Ser vices Console as a Functional Administrator or Directory Manager. See “Launching
Shared Services Console” on page 9.
2 Search for Native Directory users to reactivate. See “Searching for Users, Groups, Roles, and Delegated
Lists” on page 11.
3 Right-click the user account and select Activate.
4 Click OK .
Deleting User Accounts
Deleting a user account removes the user’s associations with Native Directory groups, the role
assignments of the user, and the user account from Native Directory.
Note: The System Administrator account (by default, admin) cannot be deleted.
ä To delete user accounts:
1 Access Shared Ser vices Console as a Functional Administrator or Directory Manager. See “Launching
Shared Services Console” on page 9.
Managing Native Directory Users 35
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 36/96
2 Search for Native Directory users to delete. See “Searching for Users, Groups, Roles, and Delegated
Lists” on page 11.
3 Right-click the user account, and then select Delete.
4 Click Yes.
5 Click OK .
Changing Native Directory User Password
Because Native Directory account is segregated from the user accounts created to support other
corporate applications, password changes affect only EPM System products.
ä To change Native Directory password of the current user:
1 Launch EPM Workspace. See “Launching Shared Services Console” on page 9.
2 Select Tools, and then Change Password.
3 In Current Password, enter your password.
4 In New Password and Confirm Password, enter the new password.
5 Click Save.
Managing Native Directory GroupsNative Directory users can be grouped based on common characteristics. For example, users
can be categorized into groups such as staff, managers, and sales based on function, and
Sales_West and Managers_HQ based on location. A user can belong to many groups.
Native Directory groups can contain other groups and users from user directories configuredon Shared Services.
Group affiliations of a user are important considerations in the authorization process. Typically
groups, rather than individual user accounts, are used to facilitate provisioning.
Tasks performed by Functional Administrators and Directory Managers:
l “Creating Groups” on page 37
l “Modifying Groups” on page 39
l “Deleting Groups” on page 40
l “Provisioning Groups” on page 47
l “Deprovisioning Groups” on page 48
l “Generating Provisioning Reports” on page 51
Note: Groups on external user directories cannot be managed from Shared Services Console.
36 Managing Native Directory
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 37/96
Nested Groups
Nested groups are groups that are members of other groups (parent groups). You use nested
groups to facilitate provisioning. Group members inherit the roles assigned to the parent group.
You can create nested groups in Native Directory using groups from any configured user
directory. Using very complex nested groups is not recommended. The illustrated concept:
In addition to the roles assigned directly to it, each component group (for example, Group2)inherits all the roles assigned to the parent group (Role8 and Role9 in the illustration). For
example, the role assignment of Group1 in the illustration is Role1, Role8, and Role9. The parent
group does not inherit the roles assigned to member groups.
Creating Groups
A Native Directory group can contain users and groups from the user directories configured in
Shared Services, including Native Directory.
When a group from an external user directory is added to a Native Directory group, Shared
Services creates a reference in the database to establish the relationship.
ä To create Native Directory groups:
1 Access Shared Services Console as a Functional Administrator or Directory Manager.
See “Launching Shared Services Console” on page 9.
2 In the View pane, expand Native Directory .
3 Right-click Groups, and then select New Group.
4 In Name, enter a unique group name (maximum 256 characters).
Group names are not case-sensitive.
5 Optional: Enter a group description.
6 Perform an action:
l Click Finish to create the group without adding groups or users, and go to step 11.
l Click Next to create a nested group or assign users to the group.
7 Create a nested group. To skip this step, click Next.
Managing Native Directory Groups 37
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 38/96
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 39/96
Using the fields above Assigned Users, you can search assigned users to identify users
that you want to remove.
To remove assigned users, from Assigned Users, select the users to remove, and then
click .
10 Click Finish.
11 Select Create Another to create another group or Finish.
Modifying Groups
You can modify the properties of all Native Directory groups except the WORLD group. If you
remove a subgroup from a nested group, the role inheritance of the subgroup is updated.
Similarly, if you remove a user from a group, the role inheritance of the user is updated.
ä To modify groups:
1 Access Shared Services Console as a Functional Administrator or Directory Manager.
See “Launching Shared Services Console” on page 9.
2 Search for a group. See “Searching for Users, Groups, Roles, and Delegated Lists” on page 11.
3 Right-click a group, and then select Properties.
Note: The Group Properties screen displays the Delegated List tab if Shared Services is
deployed in Delegated Administration mode.
4 On the General tab, edit the name and description to modify the general properties of the group.
5 Open the Group Members tab and perform the actions from either step 5.a, step 5.b, or from both, to
modify group assignments:
a. To add groups to the group:
l In Directory , select the user directory from which you want to add the nested group.
Select All to search for groups in all configured directories.
l Select Group Name to search based on group names. Select Description to search
based on group descriptions.
l Enter the criterion for retrieving groups. Use * (asterisk) as the wildcard to retrieve
all available groups.
l Click Search.
l From Available Groups, select groups and click .
Selected groups are listed in the Assigned Groups list. From Assigned Groups, choose
the group, and then click to remove a selected group.
l Optional: Repeat this procedure to retrieve and assign groups from other user
directories.
b. To remove assigned groups:
Managing Native Directory Groups 39
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 40/96
l From Assigned Groups, select the group to remove.
Shared Services enables you to search the assigned groups to identify the groups
to remove. Use the fields above the Assigned Groups list to define the search criteria
for searching within the assigned groups list.
l Click .
6 Select the User Members tab, and then perform actions from either step 6.a, step 6.b, or from both, to modify user assignments:
a. To add users to group:
l In Directory , select the user directory from which you want to add users. Select
All to search for users in all configured directories.
l Select the user property (User Name, First Name, Last Name, Email Address, or
Description) to search.
l Enter the criterion for retrieving users. Use * (asterisk) as the wildcard to retrieve
all available users.
l Click Search.
l From Available Users, select users to assign to the group.
l Click .
The selected users are listed in Assigned Users list.
l Optional: Repeat this procedure to retrieve and assign users from other user
directories.
b. To remove users from the group:
l From Assigned Users, select the users to remove.
Shared Services enables you to search the assigned users list to identify the usersto remove. Use the fields above the Assigned Users list to define the search criteria.
l Click .
7 Select Delegated List (available only if Shared Services is deployed in Delegated Administration mode)
to view the delegated administrators assigned to the group.
8 Click OK .
Deleting Groups
Deleting a group removes the group’s associations with users and roles and removes the group’sinformation from Native Directory but does not delete the users or subgroups assigned to the
deleted group.
ä To delete groups:
1 Access Shared Services Console as a Functional Administrator or Directory Manag er.
See “Launching Shared Services Console” on page 9.
40 Managing Native Directory
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 41/96
2 From the View pane, select Groups.
3 Search for the group to delete. See “Searching for Users, Groups, Roles, and Delegated Lists” on page
11.
4 Right-click the group, and then select Delete.
5 Click Yes to confirm the delete operation.
6 Click OK .
Managing RolesRoles define the tasks that users can perform in EPM System applications. Roles from all
registered EPM System applications can be viewed but cannot be updated or deleted from Shared
Services Console. Functional Administrators and Provisioning Managers can perform these
tasks:
l “Creating Aggregated Roles” on page 41
l “Modifying Aggregated Roles” on page 42l “Deleting Aggregated Roles” on page 43
l “Generating Provisioning Reports” on page 51
Note: You can provision newly created users and groups. However, the roles provisioned to the
new users and groups become effective only after Shared Services refreshes its cache. By
default, the cache refresh interval is 60 minutes, which you can modify by updating the
value of Shared Services Security Cache Refresh Interval. Setting this value
to a shorter interval, for example, 30 minutes, may cause performance degradation.
Creating Aggregated Roles
To facilitate administration and provisioning, Functional Administrators and Provisioning
Managers can create aggregated roles that associate multiple application-specific roles into a
custom Shared Services role. Users with the Shared Services Provisioning Manager role can create
aggregated roles for the applications for which they are Provisioning Managers. Functional
Administrators can create aggregated roles for all EPM System applications.
For information on aggregated roles, see “Aggregated Roles” on page 15.
Note: You can create roles only after at least one EPM System application is registered with
Shared Services.
ä To create aggregated roles:
1 Access Shared Services Console as a Functional Administrator or Provisioning Manager.
See “Launching Shared Services Console” on page 9.
Managing Roles 41
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 42/96
2 In the View pane, expand Native Directory .
3 Right-click Roles, and then select New Role.
4 For Name, enter a role name (maximum 256 characters).
Role names should not contain special characters and should not start or end with a \
(backslash).
5 Optional: For Description, enter a role description.
6 From Product Name, select the application for which you want to create the role.
7 Click Next.
8 On the Role Members tab, find the roles to add.
l Click Search to retrieve all roles from the selected application.
l Enter the role name in Role Name, and then click Search to search for a specific role.
Use * (asterisk) as the wildcard in pattern searches.
9 From Available Roles, select the application roles to assign.
10 Click .
The selected roles are listed in Assigned Roles.
From Assigned Roles, select the role, and then click to remove a selected role.
11 Click Finish.
12 Click OK to return the Browse tab or Create Another to create another custom role.
Modifying Aggregated Roles
You can modify only aggregated roles; default application-specific roles cannot be modified
from Shared Services. You may change any role property except the product name.
ä To modify aggregated roles:
1 Access Shared Services Console as a Functional Administrator or Provisioning Manager.
See “Launching Shared Services Console” on page 9.
2 In the View pane, expand Native Directory .
3 Select Roles.
4 Retrieve an aggregated role. See “Searching for Users, Groups, Roles, and Delegated Lists” on page
11.5 Right-click the role, and then select Properties.
6 On the General tab, edit the name and description to modify general properties of the role.
7 To modify role member assignments, on Role Members, perform actions from step 7.a, step 7.b, or
both:
a. To add role members:
42 Managing Native Directory
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 43/96
l Retrieve the roles to add.
m Click Search to retrieve all roles.
m Enter the role name in Role Name and click Search to retrieve a specific role.
Use * (asterisk) as the wildcard in pattern searches.
l From Available Roles, select one or more.
l Click . The selected roles are listed under Assigned Roles.
From Assigned Roles, select roles, and then click to remove the selected role.
b. To remove role assignments:
l From Assigned Roles, select roles to remove.
l Click .
8 Click OK .
Deleting Aggregated RolesYou can delete aggregated roles that are created from Shared Services. You cannot delete
application-specific roles.
ä To delete aggregated roles:
1 Access Shared Services Console as a Functional Administrator or Provisioning Manager.
See “Launching Shared Services Console” on page 9.
2 In the View pane, expand Native Directory .
3 Select Roles.
4 Retrieve an aggregated role.
See “Searching for Users, Groups, Roles, and Delegated Lists” on page 11.
5 Right-click a role, and then select Delete.
6 Click Yes.
7 Click OK .
Backing Up Native Directory
Native Directory is a part of the Shared Services database. Using database backup tools, you mustregularly back up the Shared Services database to recover from loss of data due to media failures,
user errors, and unforeseen circumstances.
Backing Up Native Directory 43
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 44/96
44 Managing Native Directory
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 45/96
6
Managing Provisioning
In This Chapter
About Provisioning.. ..... ...... ..... ..... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ....45
Provisioning Groups........................................................................................47
Deprovisioning Groups ...... ..... ...... ..... ..... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... .48
Auditing Security Activities and Lifecycle Management Artifacts......................................49
Manually Purging Audit Data....... ..... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ....49
Selecting Objects for Application and Application Group-Level Audits .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .50
Changing Purge Interval ...... ..... ...... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ....50
Generating Reports ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ....51
Importing and Exporting Native Directory Data.... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...54
About Provisioning Each organization has unique provisioning requirements. This section presents a typical flow
for provisioning users and groups with Shared Services roles.
Provisioning users and groups with Shared Services roles is designed primarily to create
administrative level users who can manage applications and provision them. EPM Systemproduct users and the groups need not be provisioned with Shared Services roles; they require
roles only from the EPM System products and applications that they need to access.
Before Starting Provisioning
Before starting provisioning, ensure that the following activities are complete.
l Plan how to provision EPM System products:
m Understand the available roles. See “Foundation Services Roles” on page 63 for a list
of EPM System product roles.
m Understand available artifact-level access permissions. Many EPM System applications
enforce artifact-level provisioning using Access Control Lists (ACL) to restrict access to
artifacts. For example, an account is a Planning artifact for which access rights can be
set.
m Identify the users and groups to provision. These users and groups can belong to Native
Directory or to an external user directory.
About Provisioning 45
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 46/96
l Determine the provisioning mode: centralized (default) or Delegated Administration mode.
The scope of the roles assigned to Delegated Administrators is limited to the delegated lists
assigned to them. For example, if user Admin1 is assigned the Essbase Provisioning Manager
role for DelegatedList1, Admin1 can provision only the users from DelegatedList1. See
Chapter 4, “Delegated User Management.”
Overview of Provisioning StepsAll Shared Services provisioning activities must be performed by a Functional Administrator or
Provisioning Manager.
Provisioning users and groups should follow a provisioning plan tailored for your organization.
Typically, you should create Functional Administrators and application-specific provisioning
managers to provision EPM System users and groups. Depending on the needs of your
organization, you could also create other power users; for example, LCM Administrators, by
assigning Shared Services roles. See “Foundation Services Roles” on page 63 for a discussion
of available roles and their access privileges.
EPM System products can have two types of users: administrators and end users. Generally,administrators support EPM System products by performing administrative actions such as
managing user directories, creating applications, provisioning users and groups, and migrating
applications and artifacts. End users utilize the functionalities of the applications; for example,
to create plans using a Planning application.
Typically, administrative users cannot perform EPM System product functions. For example,
without functional role assignments, a Planning Provisioning Manager cannot create or manage
plans using a Planning application.
Provisioning Administrative Users
Provisioning administrative users and groups involves using Shared Services Console to assign
the required EPM System product administrator roles. For example, the Planning Provisioning
Manager role enables the recipient to provision users and groups with Planning roles. Other
EPM System products have similar administrative roles. A Functional Administrator must assign
these administrative roles to users and groups using the Shared Services Console.
You can combine roles to assign additional access privileges to a user or group or to provide
administrative access across EPM System components. Oracle does not recommend combining
Provisioning Manager and Directory Manager roles.
Provisioning EPM System UsersYou must provision users with application roles to allow them to access EPM System
applications. Functional Administrators and Provisioning Managers perform the following steps
to provision users and groups:
1. From the Shared Services Console, identify and select the users (or the groups to which they
belong) who need access to the EPM System. See “Searching for Users, Groups, Roles, and
Delegated Lists” on page 11.
46 Managing Provisioning
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 47/96
2. Assign roles that allow users to access EPM System components. For example, all Essbase
users should have the Server Access role for the Essbase Cluster (by default,
EssbaseCluster-1). See “Provisioning Groups” on page 47.
EPM System roles are described in Appendix A, “EPM System Roles.”
3. Assign application-specific roles that grant access to the functions of EPM System
applications. For instance, Essbase application Esb_App1 provides the Calc role, which can
be assigned to users who must work with Calc scripts of Esb_App1.
These roles are assigned on a per-application basis. For example, roles from Essbase
application Esb_App1 allows users to access functionalities in Esb_App1 only.
4. Using a product administration screen, assign access to the artifacts managed by the EPM
System application.
You can launch the administration screen of some applications from Shared Services
Console using these steps:
Artifact-level access control allows administrators to fine-tune access to application objects.
Because these access privileges are by design more granular than application roles, you can
use them to restrict the access rights that were granted using roles.
a. In the View pane of Shared Services Console, expand Application Groups.
b. Expand the application group node that contains the application.
c. Right-click the application to provision.
d. Select Assign Access Control. A product administration screen, which is not a part of
Shared Services Console, opens.
e. Provision users.
Artifact-level access control is explained in the Administration Guide of the EPM System
product.
Provisioning GroupsProvisioning is the process of granting EPM System roles to users and groups. Provisioning is
performed by Provisioning Managers or Functional Administrators by assigning EPM System
application roles to a group. See “Provisioning (Role-based Authorization)” on page 14.
Note: Provisioning managers cannot modify their own provisioning data.
Tip: To facilitate administration, Oracle recommends that you provision groups rather than
users, and that you use aggregated roles.
ä To provision users or groups:
1 Access Shared Services Console as a Functional Administrator or Provisioning Manager.
Provisioning Groups 47
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 48/96
See “Launching Shared Services Console” on page 9.
2 Find and select groups to provision.
See “Searching for Users, Groups, Roles, and Delegated Lists” on page 11.
3 Select Administration and then Provision.
4 Optional: Select a view.
Roles can be displayed in a hierarchy (tree) or a list. You must drill down the hierarchy to
display available roles. The list view lists available roles but does not show their hierarchy.
5 Select roles, and then click .
6 Click OK .
Deprovisioning GroupsDeprovisioning removes the application roles that are assigned to the group. Functional
Administrators can deprovision roles from one or more applications. Provisioning managers of
applications can deprovision roles from their applications. For example, assume that the group
Sales_West is provisioned with roles from Planning and Oracle Hyperion Financial
Management. If this group is deprovisioned by a Planning Provisioning Manager, only the roles
from Planning are removed.
Note: Functional administrators can deprovision their own accounts. Because Shared Services
require at least one System Administrator (a user who is provisioned with the Shared
Services Administrator role) in Native Directory, administrators must verify the existence
of such an account before deprovisioning themselves.
ä To deprovision groups:
1 Access Shared Services Console as a Functional Administrator or Provisioning Manager.
See “Launching Shared Services Console” on page 9.
2 Find the group to deprovision.
See “Searching for Users, Groups, Roles, and Delegated Lists” on page 11.
3 Right-click the group, and then select Deprovision.
4 Perform an action:
l To remove role assignments from specific applications, make selections.
l To remove all provisioned roles, select Check All.
5 Click OK .
6 In the confirmation dialog box, click Yes.
7 In the Deprovision Summary screen, click OK .
48 Managing Provisioning
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 49/96
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 50/96
Caution! Functional Administrators must purge the data based on your company's audit data
retention policies. Before purging data, back up the Shared Services database.
ä To purge audit data:
1 Access Shared Services Console as a Functional Administrator. See “Launching Shared Services
Console” on page 9.2 Select Administration and then Configure Auditing .
3 In Purge Data Older than, set the number of days for which audit data is to be retained.
4 Click OK .
Selecting Objects for Application and Application
Group-Level AuditsOnly Functional Administrators can select objects for auditing at application and application
group levels.
ä To select objects for auditing:
1 Access Shared Services Console as a Functional Administrator. See “Launching Shared Services
Console” on page 9.
2 In the View pane, right-click one of the following, and then select Configure Auditing :
l An application group to enable auditing for all the applications in the application group
l An application to enable auditing for the application
Note: If Allo w Global Settings Override is selected on the Audit configuration screen,
Configure Auditing is not enabled at the application group and application levels. See
“Auditing Security Activities and Lifecycle Management Artifacts” on page 49.
3 From Select Tasks, select the tasks for which audit data is to be preserved. Tasks are categorized based
on the applications registered with Shared Services.
4 Click OK .
Changing Purge IntervalBy default, a background thread removes audit data that is older than 25 days. You can modify
the AUDIT.PURGE.EARLIERTO.DAYS Shared Services Registry setting to change the purge
interval.
50 Managing Provisioning
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 51/96
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 52/96
2 Select a role.
See “Searching for Users, Groups, Roles, and Delegated Lists” on page 11.
3 Select Administration and then View Report.
4 Enter report generation parameters.
Table 2 View Report Screen
Label Description
Find All Select the object type (user, group, or role) for which the report is to be generated.
For Users or For
Roles
The label of this changes depending on what is selected in Find All.
Filter By The criterion to use to filter the report data.
Show Effective
Roles
Select Yes to report on all effective roles (inherited as well as directly assigned). Inherited roles (as opposed
to directly assigned roles) are assigned to groups to which the user or group belongs. Select No to report only
on directly assigned roles.
Group By Select how to group the data in the report. Available grouping criteria depend on the selection in Find All.
Results Per Page Number of report results to display in a page. Default is 500.
In Application Select the applications from which provisioning data is to be reported, or select Select All to report on all
applications.
Note: You can report only on the applications belonging to an application group.
5 Select Create Report.
6 Optional: To print the report:
a. Click Print Preview .
b. Click Print.
c. Select a printer and then click Print.
d. Click Close.
7 Optional: Click Export to CSV to export the report into a Comma Separated Value (CSV) file.
8 Click OK .
Generating Audit Reports
Three audit reports—Security Reports, Artifact Reports, and Config Report—can be generated.The Security Report displays audit information related to the security tasks for which auditing
is configured. Artifact Report presents information on the artifacts that were imported or
exported using Lifecycle Management.
Functional Administrators can generate and view audit reports to track historical changes to the
security data.
52 Managing Provisioning
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 53/96
Note: Auditing must be configured before you can generate audit reports. See “Auditing Security
Activities and Lifecycle Management Artifacts” on page 49.
ä To generate audit reports:
1 Access Shared Services Console as a Functional Administrator.
2 Select Administration, and then Audit Reports.
3 Select an option:
l Security Reports to generate Security Audit report
l Artifact Reports to generate a report on the artifacts that were migrated using Lifecycle
Management
l Config Reports to generate security audit report on the configuration tasks that were
performed
Note: These reports are automatically generated to show the data for users for the last 30
days.4 To regenerate the report, select parameters:
a. In Performed By , select the users for which the report is to be generated.
b. In Performed During , select the period for which the report is to be generated. You can
set the period as number of days or as a date range.
c. Optional: Select Detailed View to group the report data based on the attribute that was
modified and the new attribute value.
d. Optional: In Per Page, select the number of rows of data to display in a report page.
e. Click View Report.
5 To create a CSV file containing the report data, click Export.
a. Select Save as CSV .
b. Click OK .
c. Click Open to open the file or Save to save the file to the file system. By default, the
Security Report file is named auditsecurityreport.csv, the Artifact Report is
named AuditArtifactReport.csv, and the Config Report is named
AuditConfigReport.csv.
6 Click Close.
Generating Migration Status Report
The Migration Status Report contains information on the artifact migrations performed using
the Lifecycle Management functionality. For each migration, this report presents information
such as the user who performed the migration, source, destination, start time, completed time,
duration, and status.
Generating Reports 53
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 54/96
For failed migrations, you can view the information such as the source and destination
applications, artifact path, artifact name, and error that cause the migration to fail.
ä To generate Migration Status Report:
1 Access Shared Services Console as a Functional Administrator.
2 Select Administration, and then Migration Status Report.
This report is automatically generated to show all migrations performed in the last 30 days.
3 To regenerate the report, click Refresh.
4 To close the report, click Cancel.
Importing and Exporting Native Directory DataUse Lifecycle Management to perform the following tasks:
l Move provisioning data across environments
l Bulk provision users and groups
l Manage users and groups in Native Directory
See the Oracle Enterprise Performance Management System Lifecycle Management Guide.
54 Managing Provisioning
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 55/96
7
Managing Taskflows
In This Chapter
About Taskflows............................................................................................55
Taskflow Components . .. .. .. .. . .. .. .. .. . .. .. .. .. . .. .. .. .. .. .. .. .. .. . .. .. .. .. . .. .. .. .. .. .. .. .. .. . .. .. .. .. . .55
Prerequisites for Working with Taskflows.................................................................57
Creating and Managing Taskflows.. ..... ...... ..... ...... ..... ..... ...... ..... ...... ..... ...... ...... ....57
Viewing Taskflow Information ..... ...... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ....60
Scheduling Taskflows......................................................................................60
Manually Running Taskflows ..... ...... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ....60
Viewing Taskflow Status and Execution Details ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...61
Taskflow Scripts Location .. .. .. .. .. .. .. . .. .. .. .. . .. .. .. .. .. .. .. .. .. . .. .. .. .. . .. .. .. .. .. .. .. .. .. . .. .. .. .. . .61
About TaskflowsTaskflows automate some or all of a business process. Tasks are passed from one taskflow
participant to another based on a set of procedural rules. Taskflows can automate product tasks
in EPM System components such as Financial Management, Oracle Hyperion Profitability and
Cost Management, and Oracle Hyperion EPM Architect.
Two types of taskflow actions––automatic and manual––are supported. Automatic taskflow
actions are started by the workflow engine and executed by an EPM System component without
any user interaction. Manual taskflow actions are started by workflow engine but are executed
manually by users.
Taskflow ComponentsGenerally, taskflows are designed to utilize a number of variables, stages, and links.
Stages
A stage describes a step in a taskflow usually performed by one individual. Each stage has one
application action or event in the taskflow. Actions can have parameters for which values are
supplied at runtime.
About Taskflows 55
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 56/96
Many default actions are available for each EPM System component that uses taskflows. These
actions are defined and managed by taskflow-enabled EPM System components. Shared Services
default actions are described in Table 3. See the following information sources for description
of actions available for other EPM System components:
l Oracle Hyperion Enterprise Performance Management Architect Administrator's Guide for a
description of Performance Management Architect actions
l Oracle Hyperion Financial Management User's Guide for a description of FinancialManagement actions
Table 3 Default Stage Actions and Parameters: Shared Services
Action Parameters
1
This action automatically sends an email message. Complete these parameters for the email action:
l To: Enter the recipient's email address
l Subject: Enter a subject for the e-mail
l Message: Select a variable (by double-clicking a variable from the variables list) to display success or failure
l
Variables: Lists the available variables for the email action
Execute This action runs an external program from a command line. Complete these parameters for the execute action:
l Command: Enter a command to run an external program.
The external program can be a valid command line script (such as a.bat script on Windows or a .shscript on UNIX) and
any valid program execution command. Ensure that your script file does not resolve the path dynamically; if the file uses
any variables to resolve the path, it will not work.
For example, to launch Internet Explorer, enter: IEXPLORE.EXE. See “Taskflow Scripts Location” on page 61.
1SMTP mail configuration must be available in Foundation Services for this action to execute successfully.
LinksLinks connect taskflow stages. Links can be unconditional where the completion of a stage leads
to the start of the next stage, or conditional where the results of the operations of a stage
determines how the taskflow proceeds.
Links specify the action that the taskflow should take next. Every stage needs a link. Generally,
most stages have two links: success and failure. For the success link, you specify the next
processing stage (receiving stage) based on the results of the current stage. For the failure link,
you specify the action to take if the taskflow action in the stage fails.
For example, you can set a success link so that if Data_Synchronization action in a Performance
Management Architect taskflow stage succeeds, Performance Management Architect proceedsto the Redeploying_Consolidation stage. You can also set a failure link so that if the
Data_Synchronization action fails, Performance Management Architect stops the process and
terminates the taskflow.
The last stage in each taskflow must have a final link with “End” as the target to complete the
taskflow.
56 Managing Taskflows
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 57/96
Variables
Taskflows use variables as global contexts that can be referenced throughout their runtime
lifecycles. Variables created within a taskflow can be used to pass values from one stage to another
within a taskflow.
Prerequisites for Working with TaskflowsEPM System provides the following global taskflow roles. Users who are assigned these roles can
work with taskflows from any EPM System component.
l Mange Taskflow: this role allows users to create, edit, schedule, assign ACLs, and run
taskflows across EPM System components.
l Run Taskflow: this role permits users to run and schedule taskflows across EPM System
components. Users who are assigned only this role cannot create or edit taskflows.
Creating and Managing TaskflowsYou can use the Manage Task Flow screen of EPM Workspace or a product-specific screen to
work with taskflows. To access the taskflow screen from an EPM System component, in addition
to taskflow roles (see “Prerequisites for Working with Taskflows” on page 57), you must have
application roles that grant you access to these EPM System components.
Accessing the Manage Taskflow Screen
Typically, you use the Manage Task Flow screen of EPM Workspace to work with taskflows. This
screen is accessible to all EPM System users who have the Manage Taskflow role.
ä To access Manage Task Flows screen:
1 Log into EPM Workspace.
2 Select Navigate, and then Application Library .
3 Select Administration, and then Manage Taskflows.
Creating Taskflows
ä To create taskflows:
1 Open the Manage Task Flows screen. See “Accessing the Manage Taskflow Screen” on page 57.
2 In Manage Task Flows, click New .
3 In Name, enter a unique taskflow name.
4 In Application, enter the name of the application to which this taskflow belongs.
Prerequisites for Working with Taskflows 57
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 58/96
The application name is used to categorize applications in the Manage Taskflows screen.
5 For Description, enter a taskflow description.
6 Click Submit.
The taskflow editor, which allows you to add stages and links, is displayed.
7 Add stages to the taskflow:
a. On General, enter the following information:
l Name: Enter a stage name.
l UserName: Enter the EPM System user whose account will be used to initiate the
taskflow stage.
l Password: Enter the password of the user identified in the UserName field.
b. On Processing, enter the following information:
i. In Application, select an application from which to run the task.
ii. In Action, select an action to perform and then enter the required information.
Actions available in Actions list reflect the selected application. For a list of actionsfor each EPM System component, see the following topics:
l See Table 3, “Default Stage Actions and Parameters: Shared Services,” on
page 56 for a list of available Shared Services actions.
l See the Oracle Hyperion Enterprise Performance Management Architect
Administrator's Guide for a list of Performance Management Architect
actions .
l See the Oracle Hyperion Financial Management User's Guide for a list of
Financial Management actions.
c. On Starting Event, enter the following information to schedule an event:i. In Starting Event, select Scheduled Event.
ii. In Start Date, enter the date on which the task is to be run.
iii. In Start Time, select a time at which the task should start.
iv. If this task is to be repeated, select the Recurrence, and in Recurrence Pattern, select
the task frequency.
v. Select an option for the task end date and time:
l No End Date
l End After occurrences, and enter the number of occurrences.
l End Date, enter an end date, and then select an End Time.
d. Optional: add more stages to the taskflow.
8 Add links to taskflow stages:
a. Select the stage for which link is to be added, and then click Add Link.
b. In General, enter a unique link name and an optional description.
58 Managing Taskflows
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 59/96
c. In Receiving Stage select the next stage in the taskflow.
d. Optional: Set link conditions if needed.
9 Click Save.
Editing Taskflows
ä To edit taskflows:
1 Open the Manage Task Flows screen. See “Accessing the Manage Taskflow Screen” on page 57.
2 From Taskflow Listing Summary, select a taskflow, and then click Edit.
The first stage of the task flow is selected by default.
3 In Password, enter the password of the EPM System user whose account is used to initiate the taskflow
stage.
4 Edit the current stage, if required, or select another stage by clicking the stage name.
a. In General, complete these steps.
i. Optional: Change the stage name and the EPM System user whose account is used
to initiate the taskflow.
ii. In Password, enter the password of the EPM System user whose account is used to
initiate the current taskflow stage.
b. In Processing, modify the following stage processing information. You can change the
values in any field on this tab.
l See Table 3, “Default Stage Actions and Parameters: Shared Services,” on page
56 for a list of available Shared Services actions.
l See the Oracle Hyperion Enterprise Performance Management Architect Administrator's Guide for a list of Performance Management Architect actions.
l See the Oracle Hyperion Financial Management User's Guide for a list of Financial
Management actions.
c. In Starting Event, modify schedule for starting the stage.
d. Optional: Modify links, if needed.
Note: Before you can edit links, you must, at a minimum, enter the password of the
EPM System user whose account is used to initiate the current taskflow stage.
i. Click the name of the link that you want to edit.
ii. In General, edit link details, such as name, description, and receiving stage. You
cannot modify the sending stage of the link.
iii. Optional: Modify link conditions if needed.
5 Click Save.
Creating and Managing Taskflows 59
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 60/96
Viewing Taskflow InformationThe Taskflow Listing Summary on Manage Taskflows lists all defined taskflows.
ä To view taskflow information:
1 Open the Manage Task Flows screen. See “Accessing the Manage Taskflow Screen” on page 57.
2 Select the taskflow that you want to view.
3 Click Edit.
Scheduling TaskflowsYou can schedule taskflow execution from the Manage Taskflows screen.
ä To schedule an existing taskflow:
1 Open the Manage Task Flows screen. See “Accessing the Manage Taskflow Screen” on page 57.
2 Select the taskflow that you want to schedule.
3 Click Schedule Taskflow .
4 In Starting Event, select Scheduled Event.
5 In Start Date, select the date on which the taskflow should be run.
6 In Start Time, use the drop-down lists to select the time at which the taskflow execution should start.
7 Optional: To schedule jobs to run on a recurring basis:
a. Select Recurrence.
b. In Recurrence Pattern, select a recurring pattern, such as Monthly or Weekly.
c. Schedule frequency for the selected recurrence pattern.
8 Optional: To schedule the taskflow to run until it is manually cancelled or deleted, select No End Date.
9 Optional: To schedule the taskflow to run a specified number of times, select End After x
Occurrences. In the text box, enter the number of times the job is to be run.
10 Optional: To run the taskflow until a specified date, selec t End Date, and then select the date and time
of the final run.
11 Click Save.
Manually Running Taskflows
ä To run a taskflow:
1 Open the Manage Taskflows screen. See “Accessing the Manage Taskflow Screen” on page 57.
2 Select the taskflow that you want to run.
60 Managing Taskflows
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 61/96
3 Click Run Now .
Viewing Taskflow Status and Execution DetailsUse the Taskflow Status Summary screen to monitor taskflow status.
ä To view taskflow status:
1 Log into EPM Workspace.
2 Select Navigate, and then Application Library .
3 Select Administration, and then View Taskflow Status.
4 In Manage Taskflows, select the search criteria to locate the taskflow that you want to monitor.
l To search for taskflows in a specific execution status, in Status, select a taskflow status.
Select All to search for taskflows in any status.
l To search for taskflows belonging to a specific application, in Application, select the
application to which the taskflow belongs.
l To search for a specific taskflow, in Taskflow , select taskflow name.
5 To limit the search to a specific time period, set start and end values in values Initiated Between.
6 Click Search.
7 Optional:Click Refresh to update status information.
8 Optional: To end a running taskflow, select the taskflow, and then click Stop.
The taskflow stops when the application returns the results of the selected step. The results
for previous steps are not discarded; however, if the taskflow is rerun, it begins at the first
step.
9 To view detailed taskflow execution details, click the taskflow ID.
The Taskflow Participant Summary is displayed, showing details of the task and its status.
10 Click Cancel to return to Taskflow Status Summary.
Taskflow Scripts LocationAll scripts that are to be executed during a taskflow stage must be stored in a dedicated directory.
The default location for the directory containing such scripts is EPM_ORACLE_HOME /common/
utilities.If you want to store taskflow scripts in directory other than the default directory, you must
update a Shared Services Registry property by running one of the following commands at a
command prompt. In this command, replace SCRIPT_LOCATION with the absolute path of the
directory where taskflow scripts are stored.:
l epmsys_registry.bat updateproperty SHARED_SERVICES_PRODUCT/
@workflowEngine.ces.location SCRIPT_LOCATION (Windows)
Viewing Taskflow Status and Execution Details 61
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 62/96
l epmsys_registry.sh updateproperty SHARED_SERVICES_PRODUCT/
@workflowEngine.ces.location SCRIPT_LOCATION (UNIX/LINUX)
For example, you may run the following command for a Windows deployment:
epmsys_registry.bat updateproperty
SHARED_SERVICES_PRODUCT/@workflowEngine.ces.location C:\taskflowscripts
You must secure the SCRIPT_LOCATION directory from unauthorized access. Further, toenhance security, run services and processes using a secure user account.
Restart EPM System after updating Oracle Hyperion Shared Services Registry.
62 Managing Taskflows
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 63/96
A
EPM System Roles
In This Appendix
Foundation Services Roles ..... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ..... ...... ..63
Essbase Roles... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Essbase Studio Roles......................................................................................67
Reporting and Analysis Roles..... ...... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ....68
Financial Management Roles.. ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ..... ...... ..70
Disclosure Management Roles ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ..... ...... ..72
Financial Close Management Roles.... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ....72
Account Reconciliation Management Roles.............................................................73
Planning Roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Profitability and Cost Management Roles ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...76
Performance Scorecard Roles ..... ..... ...... ..... ...... ..... ...... ...... ..... ...... ..... ...... ...... ....80
Strategic Finance Roles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Provider Services Roles... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Data Integration Management Roles.....................................................................81
FDM Roles ..... ...... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
FDMEE Roles ... ... .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Integrated Operational Planning Roles...................................................................83
Foundation Services RolesFoundation Services roles comprise power roles belonging to these components:
l Shared Services
l Performance Management Architect
l Oracle Hyperion Calculation Manager
l “Financial Management Manager Roles” on page 66
Shared Services Roles
All Shared Services roles are power roles. Typically, these roles are granted to power users who
are involved in administering Shared Services and other EPM System products.
Foundation Services Roles 63
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 64/96
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 65/96
Performance Management Architect Roles
All Performance Management Architect roles are power roles. Typically, they are granted to
power users who must create applications and administer application dimensions.
Table 5 Performance Management Architect Roles
Role Description
Performance Management Architect
Administrator
The Performance Management
Architect Administrator role
comprises these roles:
l Application Creator
m Essbase Application Creator
m Financial Management
Application Creator
m Planning Application Creator
m Profitability Application
Creator
l Dimension Editor
Creates and deploys Performance Management Architect applications. Application Creators own all
dimensions in undeployed applications. They can create dimensions but can change only the
dimensions to which they have access permissions.
Required, in addition to the Dimension Editor role, for Financial Management and Planning users
to be able to navigate to their product’s Classic Application Administration options.
When a user with Application Creator role deploys an application from Performance Management
Architect, that user automatically becomes the application administrator and provisioning manager
for that application.
Performance Management Architect Administrators can also perform these Transaction History Purge
Utility operations:
l Access all applications, even if the user did not deploy the applicationl Manually mark a stalled job as timed out
l View hidden jobs
l Open the application diagnostics screen to run tests and solutions on all applications
Essbase Application Creator Creates Essbase applications and generic applications using Performance Management Architect
Financial Management Application
Creator
Creates Consolidation applications and generic applications using Performance Management
Architect. To create applications, the user must also be a member of the Application Creators group
specified in Financial Management Configuration Utility.
Planning Application Creator Creates Planning applications and generic applications using Performance Management Architect
Profitability Application Creator Creates Profitability and Cost Management applications generic applications using PerformanceManagement Architect
Dimension Editor 1 Creates, manages, and imports profiles to create dimensions in Performance Management Architect.
Creates and manages dimensions manually within Performance Management Architect.
Required to access Classic Application Administration options for Financial Management and
Planning using web navigation.
1Only Dimension Editors can create dimensions in the Shared Library.
Calculation Manager Roles
All Calculation Manager roles are power roles. Typically, they are granted to create Calculation
Manager Administrators.
Foundation Services Roles 65
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 66/96
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 67/96
Table 8 Essbase Server Roles
Role Description
Administrator Full access to administer Essbase Server, applications, and databases
Note: The Provisioning Manager role is automatically assigned when you migrate Essbase Administrators; however,
when you create an Essbase Administrator in Shared Services Console, you must manually assign the Provisioning
Manager role.
Create/Delete
Application
Creates and deletes applications and databases. Includes Application Manager and Database Manager permissions
for the applications and databases created by this user.
Server Access Accesses any application or database belonging to this Essbase Server. This level is the minimum access permission
a user must have to access applications and databases.
Provisioning
Manager
Provisions users with roles of this Essbase server
Table 9 Essbase Application Roles
Role Description
Application Manager Creates, deletes, and modifies databases and application settings within the assigned application. Includes
Database Manager permissions for databases within the application. An Application Managers can delete only
those applications and databases that he created.
Note: The Provisioning Manager role is automatically assigned to you when you migrate Essbase Application
Managers; however, when you create an Essbase Application Manager in Shared Services Console, you must
manually assign to yourself the Provisioning Manager role.
Database Manager Manages the databases, database artifacts, and locks within the assigned application
Calc Calculates, updates, and reads data values based on assigned scope, using any assigned calculations and fi lter
Write Updates and reads data values based on assigned scope, using any assigned filter
Read Reads data values
Filter Accesses specific data and metadata according to filter restrictions
Start/Stop Application Starts and stops applications or databases
Provisioning Manager Provisions Essbase users with roles from this application
Essbase Studio Roles
Table 10 Essbase Studio Roles
Role Description
Essbase Studio Administrator Performs all Oracle Essbase Studio tasks, including deploying cubes and executing drill-
through reports
Essbase Studio Data Source Administrator Performs all tasks related to metadata element creation and maintenance; deploys cubes;
executes drill-through reports
Essbase Studio Roles 67
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 68/96
Role Description
Essbase Studio Metadata Administrator Performs all tasks related to data source connection creation and maintenance; executes
drill-through reports
Essbase Studio Viewer Views all Essbase Studio data sources and metadata elements; executes drill -through reports
Provisioning Manager Provisions Essbase Studio users
Reporting and Analysis Roles
Table 11 Reporting and Analysis Roles
Role Description
Power Roles
Reporting and Analysis
Administrator
Conditionally accesses all resources (unless the file is locked by “no access”), but not all functionality; accesses
the Administer and Impact Manager modules
Applies to Oracle Hyperion Financial Reporting, Oracle Hyperion Interactive Reporting, Oracle Hyperion SQR
Production Reporting, and Oracle Hyperion Web Analysis
Reporting and Analysis
Global Administrator
Universally and implicitly accesses all resources and functionality; accesses the Administer and Impact Manager
modules
Note: Reporting and Analysis Global Administrators can never be denied access.
Applies to Financial Reporting, Interactive Reporting, Production Reporting, and Web Analysis
Content Manager Manages imported repository content and execute tasks, with implicit access to all resources (unless the file is
locked by “no access”); contains the Data Source Publisher role
Applies to Financial Reporting, Interactive Reporting, Production Reporting, and Web Analysis
Data Source Publisher Imports data source connectivity files
Applies to Interactive Reporting and Web Analysis
Favorites Distributor Pushes content to users’ Favorites folders using the Favorites Manager
Applies to Financial Reporting, Interactive Reporting, Production Reporting, and Web Analysis
Job Manager Creates and manages public job parameters, output directories, and output printer locations
Applies to Interactive Reporting and Production Reporting
Note: This role does not apply to, and should not be assigned to Financial Management and Planning users
who access Financial Reporting or Web Analysis through EPM Workspace.
Schedule Manager Creates and manages events, calendars, time events, public parameters, and physical resources; createsbatches; contains the Scheduler and Job Manager roles
Applies to Financial Reporting, Interactive Reporting, and Production Reporting
Provisioning Manager Provisions Reporting and Analysis users
68 EPM System Roles
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 69/96
Role Description
Interactive Roles
Analyst Accesses interactive content using full analytic and reporting functionality
Applies to Interactive Reporting and Web Analysis
Content Publisher Imports, saves, and modifies batches, books, reports, and documents; creates and modifies shortcuts andfolders. Deletes data sources and database connections in Financial Reporting through EPM Workspace.
Applies to Financial Reporting, Interactive Reporting, Production Reporting, and Web Analysis.
Data Editor Pushes Web Analysis data to Essbase
Job Publisher * Imports and modifies documents, jobs, and job output; runs jobs; contains the Smart Form Publisher role
Applies to Interactive Reporting and Production Reporting
Personal Page
Publisher *Publishes Personal Pages to the repository, where they can be viewed by other repository users; contains the
Personal Page Editor role.
Applies to Interactive Reporting and Production Reporting
Report Designer Accesses authoring studios to create and distribute documents
Applies to Financial Reporting and Web Analysis
Scheduler Schedules jobs and batches using the Schedule module; navigates the repository and assigns access control;
contains the Explorer and Job Runner roles
Applies to Financial Reporting, Interactive Reporting, and Production Reporting
Smart Form Publisher * Loads custom forms for programs (forms prompt job runners to enter information used to define jobs)
Applies to Production Reporting
Note: You must have the Job Publisher role to leverage Smart Form Publisher functionality.
Personal Page Editor *
Creates, modifies, and customizes Personal Pages; copies content from other users' published Personal Pages
Applies to Interactive Reporting and Production Reporting
View Roles
Dynamic Viewer * Views, reprocesses, and prints Interactive Reporting documents
Explorer Lists repository content in the Explore module and in context using the Open dialog box; searches, views, and
subscribes to content.
Note: Access to the repository does not grant access to individual files and folders, which are secured by file
properties and permissions.
Applies to Financial Reporting, Interactive Reporting, Production Reporting, and Web Analysis
Interactive Reporting
Viewer *Reviews and prints static Interactive Reporting documents
IR HTML Viewer Uses the HTML Viewer to browse BQY documents. This role is not automatically assigned to users who were
migrated from a previous version.
IR WebClient Viewer Uses Interactive Reporting plug-in to browse BQY documents. This role is not automatically assigned to users
that were migrated from a previous version.
Reporting and Analysis Roles 69
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 70/96
Role Description
Job Runner * Runs jobs and views public job parameters and physical resources
Applies to Interactive Reporting and Production Reporting
Personal Page Editor * Creates, modifies, and customizes Personal Pages; copies content from other users' published Personal Pages
Applies to Interactive Reporting and Production Reporting
Personal Parameter
Editor
Defines points of view and personal parameters on database connections to customize query result sets
Applies to Interactive Reporting, Production Reporting, and Web Analysis
Viewer Reviews EPM Workspace content. The content is static and accessible only from the Favorites folder.
Note: This role provides minimal user functionality; use it only when no other role assignments are possible.
Applies to Financial Reporting, Interactive Reporting, Production Reporting, and Web Analysis
System Roles
Trusted Application Enables credentialed client-server communication of Interactive Reporting database connection files (.oce
extension) that encapsulate connectivity, database type, network address, and database user name information
Financial Management RolesAdditional Shared Services roles are required for Performance Management Architect and
Calculation Manager. See “Foundation Services Roles” on page 63.
Table 12 Financial Management Roles
Role Description
Power Roles
Application Administrator Performs all Financial Management tasks. Access to this role overrides any
other access setting for the user.
Load System Loads rules and member lists
Inter-Company Transaction Admin Opens and closes periods, locks and unlocks entities, and manages reason
codes. Users with the role can also perform all intercompany tasks.
Interactive Roles
Rules Administrator Performs any Calculation Manager tasks for the specific application
Rules Designer Creates new rules objects and modifies or deletes rules objects
Approve Journals Approves or rejects journals
Create Journals Creates, modifies, deletes, submits, and unsubmits journals
Create Unbalanced Journals Creates unbalanced journals
70 EPM System Roles
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 71/96
Role Description
Default Opens and closes applications; manages documents and favorites; manages
Smart View; and accesses running tasks, data tasks, and load and extract
tasks. Cannot extract metadata or rules.
Journals Administrator Performs all tasks related to journals
Post Journals Posts and unposts journals
Manage Templates Grants access to the journals templates for managing journals
Generate Recurring Grants access to the generate recurring task for managing journals
Review Supervisor Starts process management units and approves and publishes process
management data. Can promote or reject process units, depending on process
level.
Reviewer 1 through Reviewer 10 Views and edits a block of data when that data is at the user’s designated
process management level
Submitter Submits a block of data for final approval
Lock Data Locks data in Data Explorer
Unlock Data Unlocks data in Data Explorer
Consolidate All Runs consolidate all
Consolidate Runs consolidate
Consolidate All with Data Runs consolidate with all data
Run Allocation Runs allocations
Manage Data Entry Forms Manages data entry forms on the web
Save System Report On Server Saves system reports on server
Load Excel Data Loads data from Oracle Hyperion Smart View for Office
Inter-Company Transaction User Creates, edits, deletes, loads, and extracts transactions. Runs matching report
by account or ID, runs transaction report, and drills through from modules.
Inter-Company Transaction Match Template Manages intercompany matching templates
Inter-Company Transaction Auto Match by Account Automatically matches intercompany transactions by account
Inter-Company Transaction Auto Match by ID Automatically matches intercompany transactions by ID
Inter-Company Transaction Manual Match with Tolerance Manually matches intercompany transactions with tolerance check
Inter-Company Transaction Manual Match Manually matches intercompany transactions
Inter-Company Transaction Unmatch Unmatches intercompany transactions
Inter-Company Transaction Post/Unpost Posts and unposts intercompany transactions
Financial Management Roles 71
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 72/96
Role Description
Enable write back in Web Grid Enters and saves data directly to a Web Grid
Database Management Copies and clears data and deletes invalid records
Manage Ownership Enters and edits ownership information
Manage Custom Documents Loads and extracts custom documents to and from the server
Extended Analytics Exports data to a database
Data Form Write Back from Excel Submits data from Smart View while using a Web Data Entry Form
View Roles
Advanced User Uses the Browser View and can access Running Tasks
Rules Viewer Views rules objects
Read Journals Reads journals
Receive Email Alerts for Process Control Receives e-mails
Receive Email Alerts for Intercompany Receives e-mails
Reserved Not currently used
View Data Audit View and export data audit information
View Task Audit View and export task audit information
Disclosure Management Roles Table 13 Disclosure Management Roles
Role Description
Provisioning Manager Provisions users and groups with Oracle Hyperion Disclosure Management roles
Disclosure Management User Performs Disclosure Management actions
Financial Close Management RolesNative Directory users cannot perform tasks granted by Oracle Hyperion Financial Close
Management roles, because they cannot use single sign-on with Fusion Middleware. If Native
Directory users must perform Financial Close Management tasks, they must be created as Fusion
Middleware users too.
72 EPM System Roles
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 73/96
Table 14 Financial Close Management Roles
Role Description
Close Manager
Administrator
Administers Financial Close Management. Performs the tasks that Close Power User and Close User can perform.
Close Manager Power
User
l Performs tasks that Close User can perform
l Create and manage alert types
Close Manager User Performs these tasks:
l Views templates
l Accesses Reporting and Analysis and transactional dashboards
l Modifies status
l Creates and modifies alerts, comments, and questions
l Creates and manages filters
Account Reconciliation Management Roles
Table 15 Account Reconciliation Management Roles
Role Description
Reconciliation
Administrator
l Full access to system setup, filters, attributes, periods, reconciliation instances, rates, and reporting
l Adds and remove own comments
l Removes commentary from reconciliations to accommodate cases where the commentary that was entered by a
user who separated from the company must be removed
l Cannot prepare or view account reconciliations
Reconciliation
Power User
l Full access to filters, reconciliation profiles, reconciliation instances, and reporting
l Adds and remove own comments
l Removes commentary from reconciliations to accommodate cases where the commentary that was entered by a
user who separated from the company must be removed
Reconciliation
Commentator
l Adds comments to reconciliations and associated transactions
l Creates reports
l Creates private filters
Reconciliation
Preparer
l Performs all functions related to preparation of reconciliations including adding, editing, flagging, and removing
transactions; adding and removing comments; adding and removing attachments; answering questions; and
submitting reconciliations for review
l Creates reports
l Creates private filters
Reconciliation
Reviewer
l Reviews reconciliations including flagging transactions, adding and removing comments; rejecting reconciliations;
and approving reconciliations
l Creates reports
l Creates private filters
Account Reconciliation Management Roles 73
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 74/96
Role Description
Reconciliation
Viewer
l Views reconciliations to which Viewer privileges are granted
l Creates reports
l Creates private filters
Planning RolesAdditional Foundation Services roles are required for Performance Management Architect and
Calculation Manager. See “Foundation Services Roles” on page 63.
Table 16 Planning Application Roles
Role Description
Power Roles
Administrator Performs all application tasks except those reserved for the Application Owner and Mass Allocate roles. Creates
and manages applications, manages access permissions, initiates the budget process, and designates the e-
mail server for notifications. Can use the Copy Data function.
Provisioning Manager Provisions users to the Planning application
Mass Allocation Accesses the Mass Allocate feature to spread data multidimensionally down a hierarchy, even to cells not
visible in the data form and to which the user does not have access. Any user type can be assigned this role,
but it should be assigned sparingly.
Essbase Write Access For planners and interactive users: Grants users access to Planning data in Essbase equivalent to their Planning
access permissions. Enables users having write access to change Planning data directly in Essbase using
another product such as Financial Reporting or a third-party tool.
Approvals Administrator
Approvals Administrator
role comprises these
roles:
l Approvals Ownership
Assigner
l Approvals Process
Designer
l Approvals Supervisor
Approvals Administrators are typically business users in charge of a region in an organization who need to
control the Approvals process for their region but do not need to be granted the Planning Administrator role.
Users with Approvals Administrator role can resolve any approval issue by manually taking ownership of the
process. They can perform these tasks:
l Control approvals process
l Perform actions on Planning units to which they have write access
l Assign owners and reviewers for the organization under their charge
l Change the secondary dimension or update validation rules
Approvals Ownership
Assigner
Performs tasks assigned to Planner role.
Approvals Ownership Assigners perform the following tasks for any member of the planning unit hierarchy to
which they have write access:
l Assign owners
l Assign reviewers
l Specify users to be notified
74 EPM System Roles
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 75/96
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 76/96
Profitability and Cost Management Roles
Standard Profitability and Cost Management Roles
Table 17 Standard Profitability and Cost Management Roles
Security Role Description
Power Roles
Administrator l Create and maintain user accounts and security roles, and provision users, using Shared Services
l Generate Essbase databases
l Set up and maintain application preferences
l Build the model database using Performance Management Architect to select the common dimensions and
members
l Create and maintain elements within the model, such as stages, drivers, POVs, driver selections, assignments,
and application preferences
l Perform POV Copy, calculation, validation, data entry, and trace allocations
l Deploy to Essbase and generate calculation scripts
l Import and export data
l Use the Lifecycle Management Utility to promote data from one environment, such as development or testing, to
another environment, such as production.
l Back up and restore Profitability and Cost Management model components.
l Monitor changes made to business objects.
l Access Profitability Application Home screen to create, maintain, register, duplicate and update Profitability and
Cost Management applications using Application Loader for Exalytics.
l Create, edit, copy, delete, and launch queries from Smart View Connections screen
Note: The Power User does not necessarily require specific security roles to perform tasks. For example, if a Power User runs a calculation from the Calculate screen, this action creates and executes a taskflow behind the scenes. The
Power User does not require the Manage Taskflow role to perform this task, unless the Power User wants to access
this task directly from the Manage Taskflows task.
Power User l Create and maintain elements within the model, such as stages, drivers, POVs, driver selections, assignments,
and application preferences.
l Perform POV Copy, calculation, validation, data entry and trace allocations.
l Deploy to Essbase and generate calculation scripts.
l Import and export data
l Access Profitability Application Home screen to create, maintain, register, duplicate and update Profitability and
Cost Management applications using Application Loader for Exalytics.
l Create, edit, copy, delete, and launch queries from Smart View Connections screen
Interactive Roles
Interactive User l View all modelling screens
l View and modify data in the Data Entry screen
l View Trace Allocations
l Launch queries from Smart View Connections screen
76 EPM System Roles
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 77/96
Security Role Description
View User View only access for these functions:
l Trace Allocations
l Application Preferences
l Model Stages, Drivers and POVs
Shared Services Roles
Manage
Taskflows
Required to create and edit taskflows.
Run Taskflows Required to enable users to only run and view taskflows. Users with this role cannot create or edit taskflows.
Profitability and Cost Management Roles 77
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 78/96
Detailed Profitability and Cost Management Roles
Table 18 Detailed Profitability and Cost Management Roles
Security Role Description
Administrator l Set up and maintain application preferences
l Build the model database using Performance Management Architect to select the common dimensions and membersl Create and deploy reporting views to the relational database
l Create, Read (View), Update and Delete the following functions:
m Stages
m Drivers
m POVs
m Driver Associations
m Assignments
m Application Preferences
m Calculation Rules
m Calculation Process Administration
m Jobs Library and Status
m Table Registration
l Perform the following tasks:
m POV Copy
m Validate
m Deploy
m Calculate
m Stop Jobs
l Use the Lifecycle Management Utility to promote data from one environment, such as development or testing, to
another environment, such as production.
l Import and export data
l Back up and restore Profitability and Cost Management model components.
l Monitor changes made to business objects.
l Create, edit, copy, delete, and launch queries from Smart View Connections screen
l Access Profitability Application Home screen to create, maintain, register, duplicate and update Profitability and
Cost Management applications using Application Loader for Exalytics.
78 EPM System Roles
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 79/96
Security Role Description
Power Roles
Power User l Create and maintain user accounts and security roles, and provision users, using Shared Services
l Create and deploy reporting views to the relational database
l Access Profitability Application Home screen to create, maintain, register, duplicate and update Profitability and
Cost Management applications using Application Loader for Exalytics.
l Create, edit, copy, delete, and launch queries from Smart View Connections screen
l Create, Read (View), Update and Delete the following functions:
m Stages
m Drivers
m POVs
m Driver Associations
m Assignments
m Application Preferences
m Calculation Rules
m Calculation Process Administration
m Jobs Library and Status
m Table Registration
l Perform the following tasks:
m POV Copy
m Validate
m Deploy
m Calculate
m Stop Jobs
Note: The Power User does not necessarily require specific security roles to perform tasks. For example, is a Power
User runs a calculation from the Calculate screen, this action creates and executes a taskflow behind the scenes. The
Power User does not require the manage Taskflow role to perform this task, unless the Power User wants to access this
task directly from Mange Taskflows task.
Interactive Roles
Interactive User l View (Read) the following functions:
m Stages
m Drivers
m POVs
m Driver Association
m
Assignmentsm Application Preferences
m Calculation Rules
m Calculation Process Administration
m Jobs Library and Status
m Table Registration
l Launch queries from Oracle Hyperion Smart View for Office Connections screen
Profitability and Cost Management Roles 79
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 80/96
Security Role Description
View User l View (Read) the following functions:
m Stages
m Drivers
m POVs
m Driver Associationm Assignments
m Application Preferences
m Calculation Rules
m Calculation Process Administration
m Jobs Library and Status
m Table Registration
Shared Services Role
Manage
Taskflows
Required to create and edit taskflows.
Run Taskflows Required to enable users to only run and view taskflows. Users with this role cannot create or edit taskflows.
Performance Scorecard Roles
Table 19 Performance Scorecard Roles
Role Description
Power Roles
Power Manager Provides the administrative capability within an Oracle Hyperion Performance Scorecard, environment
Provisioning Manager Provisions users and groups with Performance Scorecard, roles.
Interactive Roles
Basic Grants access to reports, scorecards, measures, and init iatives with the additional role of result collection
administration
Interactive Primarily a designer role, the Interactive User has access to all business objects for creation and modification.
These include maps (accountability, strategy, cause and effect) as well as scorecards, initiatives, and measures.
80 EPM System Roles
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 81/96
Strategic Finance Roles
Table 20 Strategic Finance Roles
Role Description
Power Roles
Administrator Administers Oracle Hyperion Strategic Finance, and assigns access to entities. Includes Interactive User
capabilities. Administrators perform these tasks:
l Adds and maintain servers
l Adds and maintain databases
l Adds and maintain users
l Adds and maintain user groups
l Creates and maintain entities
l Designs and view reports
Provisioning Manager Provisions users and groups with Strategic Finance, roles.
Interactive Roles
Basic User Enters data into entities, adds scenarios and subaccounts, and views reports
Interactive User Interactive users perform these tasks:
l Create and maintain entities
l Enter data into entities
l Add scenarios
l Add subaccounts
l Add dimensions
l Design and view reports
View Roles
View User Views entities and reports
Provider Services RolesOracle Hyperion Provider Services provides the Administrator power role, which allows users
to create, modify, and delete Essbase Server clusters.
Data Integration Management RolesOracle Hyperion Data Integration Management does not use the security environment
established by Shared Services.
If you are upgrading to the current version of Data Integration Management, and you used the
Shared Services authentication plug-in, you must deregister the Shared Services authentication
Strategic Finance Roles 81
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 82/96
plug-in and then use Informatica PowerCenter Repository Manager to recreate users. This
version of Data Integration Management supports only native Informatica authentication.
See Oracle Hyperion Data Integration Management documentation for detailed information.
FDM Roles
Table 21 FDM Roles
Roles Tasks per Role
Administrator Manages applications and performs any action. Has access to every location and rights to every form and control.
Basic Reviewer Reviews financial controls questions
Basic Reviewer
and Submitter
Submits certification or assessment after it has been reviewed
Intermediate 2–9 Loads data to the target system. Roles for intermediate levels are defined by the Oracle Hyperion Financial Data
Quality Management administrator. When a user is assigned a user level, that user has access to every object that has been assigned that level and higher.
For example, a user who is assigned Intermediate-7 role has access to each object that can be accessed using
Intermediate-7 through Intermediate-9, and All roles. Objects accessible to Power level and Intermediate 2 through
6 are unavailable to Intermediate-7 user.
FDMEE Roles
Table 22 FDMEE Roles
Roles Tasks per Role
Administrator Manages applications and performs any action
Provisioning Manager Provisions users and groups with Oracle Hyperion Financial Data Quality Management Enterprise Edition roles
Drill Through Applies to FDMEE and FDM. Controls the ability to drill through to the source system.
In FDM, this role is applied as a permissible task to an Intermediate role to control drilling back to the source
system.
In FDMEE, this role controls whether the user can drill to the FDMEE landing page, which controls drilling to the
source system.
Create Integration Creates FDMEE metadata and data rules.
Run Integration Runs FDMEE metadata and data rules and fills out runtime parameters. Can view transaction logs. FDM users who
need to extract data from Oracle General Ledger must be granted this role to run data rules.
GL Write Back Enables data write-back to the ERP source system.
82 EPM System Roles
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 83/96
Integrated Operational Planning Roles
Table 23 Integrated Operational Planning Roles
Roles Tasks per Role
Provisioning Manager Provisions users and groups with Disclosure Management roles
IOP Administrator Administers Oracle Integrated Operational Planning. IOP Administrators can modify models, access ACL pages,
and perform all Integrated Operational Planning tasks.
IOP User Performs Integrated Operational Planning actions as a normal user
Integrated Operational Planning Roles 83
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 84/96
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 85/96
B
EPM System Component Codes
Roles define the tasks that users can perform in EPM System applications. Roles from all
registered EPM System applications can be viewed from the Roles View in Oracle Hyperion
Shared Services Console.
The Roles View lists the roles name and the product code, which is the internal product name,
along with a brief role description. The product codes used by EPM System products are
indicated in Table 24.
Table 24 Product Codes Used by EPM System Products
Product Code Product Name
HUB Shared Services
CES Oracle Hyperion Shared Services (Workflow)
HP Planning
ESB Essbase
BPM Oracle Essbase Studio
ESBAPP Essbase Application
BPMA Performance Management Architect
HAVA Reporting and Analysis products such as the fol lowing:
l EPM Workspace
l Web Analysis
l Interactive Reporting
l Oracle Hyperion SQR Production Reporting
FDM Oracle Hyperion Financial Data Quality Management
EAL Oracle Essbase Analytics Link for Hyperion Financial Management
EALBRIDGE Oracle Essbase Analytics Link for Hyperion Financial Management Bridge
HFM Oracle Hyperion Financial Management
HPS Oracle Hyperion Performance Scorecard
HPM Oracle Hyperion Profitability and Cost Management
85
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 86/96
Product Code Product Name
CALC Oracle Hyperion Calculation Manager
HSF Oracle Hyperion Strategic Finance
AIF Oracle Hyperion Financial Data Quali ty Management Enterprise Edition
IOP Oracle Integrated Operational Planning
BIEE Oracle Business Intelligence Enterprise Edition
DISCMAN Oracle Hyperion Disclosure Management
FCC Oracle Hyperion Financial Close Management
BIP Oracle Business Intelligence Publisher
86 EPM System Component Codes
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 87/96
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 88/96
4 Click Log On.
5 In EPM Workspace, select Navigate.
6 Select Administer , and then Shared Services Console.
Accessing Administration Services ConsoleBefore starting these procedures, ensure that Foundation Services, web server, Oracle Essbase,
and Administration Services are running.
ä To access Administration Services Console from a URL:
1 Go to:
http://Web_server_name:port_number /easconsole/console.html
In the URL, Web_server_name indicates the name of the computer where the web server
used by Oracle Hyperion Foundation Services is running, and port_number indicates the
web server port; for example,https://myWebserver:19000/easconsole
.
Note: If you are accessing Oracle Hyperion Enterprise Performance Management
Workspace, in secure environments, use https (not http) as the protocol and the
secure web server port number. For example, use a URL such as: https://
myWebserver:19443/easconsole.
2 Click Launch.
3 Download and install Administration Services Console.
4 In the Oracle Essbase Administration Services Login screen, enter your user name and password.
5 Click OK .
88 Accessing EPM System Products
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 89/96
Glossary
access permissions A set of operations that a user can
perform on a resource.
aggregated role A custom role that aggregates multiple
predefined roles within a Hyperion product.
application 1) A software program designed to run a specific
task or group of tasks such as a spreadsheet program or
database management system; 2) A related set of dimensions
and dimension members that are used to meet a specific setof analytical requirements, reporting requirements, or both.
Application Migration Utility A command-line utility for
migrating applications and artifacts.
artifact An individual application or repository item; for
example, scripts, forms, rules files, Interactive Reporting
documents, and financial reports. Also known as an object.
authentication Verification of identity as a security measure.
Authentication is typically based on a user name and
password. Passwords and digital signatures are forms of
authentication.
automated stage A stage that does not require human
intervention; for example, a data load.
backup A duplicate copy of an application instance.
business process A set of activities that collectively
accomplish a business objective.
context variable A variable that is defined for a particular task
flow to identify the context of the taskflow instance.
external authentication Logging on to Oracle EPM Systemproducts with user information stored outside the
application. The user account is maintained by the EPM
System, but password administration and user
authentication are performed by an external service, using
a corporate directory such as Oracle Internet Directory
(OID) or Microsoft Active Directory (MSAD).
filter A constraint on data sets that restricts values to specific
criteria; for example, to exclude certain tables, metadata, or
values, or to control access.
group A container for assigning similar access permissions
to multiple users.
identity A unique identification for a user or group in
external authentication.
integration A process that is run to move data between
Oracle's Hyperion applications using Shared Services. Data
integration definitions specify the data moving between a
source application and a destination application, and they
enable the data movements to be grouped, ordered, and
scheduled.
lifecycle management The process of migrating an
application, a repository, or individual artifacts across
product environments.
link 1) A reference to a repository object. Links can reference
folders, files, shortcuts, and other links; 2) In a taskflow, the
point where the activity in one stage ends and another
begins.
link condition A logical expression evaluated by the taskflow
engine to determine the sequence of launching taskflow
stages.
load balancing Distribution of requests across a group of
servers, which helps to ensure optimal end user
performance.
managed server An application server process running in itsown Java Virtual Machine (JVM).
manual stage A stage that requires human intervention.
migration The process ofcopying applications, artifacts, or
users from one environment or computer to another; for
example, from a testing environment to a production
environment.
Glossary 89
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 90/96
migration audit report A report generated from the migration
log that provides tracking information for an application
migration.
migration definition file (.mdf) A file that contains migration
parameters for an application migration, enabling batch
script processing.
migration log A log file that captures all application migration
actions and messages.
migration snapshot A snapshot of an application migration
that is captured in the migration log.
model 1) A file or content string containing an application-
specific representation of data. Models are the basic data
managed by Shared Services, of two major types:
dimensional and nondimensional application objects; 2) In
Business Modeling, a network of boxes connected to
represent and calculate the operational and financial flow
through the area being examined.
product In Shared Services, an application type, such as
Planning or Performance Scorecard.
project An instance of Oracle's Hyperion products grouped
together in an implementation. For example, a Planning
project may consist of a Planning application, an Essbase
cube, and a Financial Reporting Server instance.
provisioning The process of granting users and groups
specific access permissions to resources.
repository Storage location for metadata, formatting, and
annotation information for views and queries.
role The means by which access permissions are granted to
users and groups for resources.
security agent A web access management provider (for
example, Oracle Access Manager, Oracle Single Sign-On, or
CA SiteMinder) that protects corporate web resources.
security platform A framework enabling Oracle EPM System
products to use external authentication and single sign-on.
Shared Services Registry The part of the Shared Services
repository that manages EPM System deployment
information for most EPM System products, including
installation directories, database settings, computer names,
ports, servers, URLs, and dependent service data.
single sign-on (SSO) The ability to log on once and then access
multiple applications without being prompted again for
authentication.
stage 1) A task description that forms one logical step
within a taskflow, usually performed by an individual. A
stage can be manual or automated; 2) For Profitability,
logical divisions within the model that represent the stepsin the allocation process within your organization.
stage action For automated stages, the invoked action that
executes the stage.
sync Synchronization of Shared Services and application
models.
synchronized The condition that exists when the latest
version of a model resides in both the application and in
Shared Services. See also model.
task list A detailed status list of tasks for a particular user.
taskflow The automation of a business process in which
tasks are passed from one taskflow participant to another
according to procedural rules.
taskflow definition Business processes in the taskflow
management system that consist of a network of stages and
their relationships; criteria indicating the start and end of
the taskflow; and information about individual stages, such
as participants, associated applications, associated activities,
and so on.
taskflow instance A single instance of a taskflow including its
state and associated data.
taskflow management system A system that defines, creates,
and manages the execution of a taskflow, including
definitions, user or application interactions, and
application executables.
taskflow participant The resource that performs the task
associated with the taskflow stage instance for both manual
and automated stages.
token An encrypted identification of one valid user or group
on an external authentication system.
transformation A process that transforms artifacts so that
they function properly in the destination environment after
application migration.
90 Glossary
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 91/96
upgrade The process of deploying a new software release and
moving applications, data, and provisioning information
from an earlier deployment to the new deployment.
user directory A centralized location for user and group
information, also known as a repository or provider.
Popular user directories include Oracle Internet Directory
(OID), Microsoft Active Directory (MSAD), and Sun JavaSystem Directory Server.
Glossary 91
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 92/96
92 Glossary
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 93/96
Index
A access
Administration Services, 88
EPM Workspace, 87
access permissions, 21
Calculation Manager roles, 65
Profitability and Cost Management, 78
Disclosure Management, 72
FDMEE, 82Essbase, 66
Essbase Studio, 67
Financial Close Manager, 72
FDM, 82
Financial Management, 70
Financial Management Manager , 66
Foundation Services roles, 63
Integrated Operational Planning, 83
Performance Management Architect roles, 65
Performance Scorecard, 80
Provider Services, 81Reporting and Analysis, 68
Shared Services roles, 63
Profitability and Cost Management, 76
Strategic Finance, 81
Account Reconciliation Management roles, 73
activate user accounts, 35
administrators
renaming, 33
aggregated roles, 15, 41
create, 41
delete, 43modify, 42
application group
adding applications to, 18
create, 18
deleting, 19
renaming, 18
application-level access, 21
applications
Account Reconciliation Management roles, 73
adding to application group, 18
adding to existing application group, 18
copying provisioning information, 20
defined, 17
delete, 21
Planning roles, 74
removing from application groups, 18assign
access permission, 21
audit reports
artifact report, 52
config report, 52
security report, 52
authentication
components, 13
managing directories, 31
overview, 13
authorizationaggregated roles, 15
global roles, 15
groups, 16
overview, 14
predefined roles, 15
roles, 15
users, 16
BBrowse tab, 10
browser problems
pop-up blockers, 10, 87
Cconfig report, 52
copying provisioning information, 20
create
A B C D E F G H I L M N O P R S T U V W
Index 93
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 94/96
aggregated roles, 41
application group, 18
delegated administrators, 25
delegated lists, 26
groups, 37
users, 32
creating
users, 32
Ddeactivate users, 34
default
Native Directory users and groups, 31
delegated administration
creating administrators, 25
delegated administrators, 24
enabling, 24
hierarchy, 23provisioning, 25
System Administrators, 23
delegated lists
creating, 26
deleting, 29
modifying, 27
delegated reports, 29
delegation plan, 25
delete
aggregated roles, 43
application, 21application groups, 19
applications from application group, 18
delegated lists, 29
groups, 40
user accounts, 35
deprovision
groups, 48
Profitability and Cost Management
roles, 78
Disclosure Management roles, 72
Eenabling
delegated administration, 24
FDMEEroles, 82
Essbase
application roles, 67
roles, 66
Server roles, 67
Essbase roles
Administrator, 67
Calc, 67
Database Manager, 67
Filter, 67
Read, 67
Start/Stop Application, 67
Write, 67
Essbase Studio
roles, 67
export provisioning data, 54
F Financial Close Manager roles, 72
FDM roles, 82
Financial Managementroles, 70
Foundation Services
Calculation Manager roles, 65
Financial Management Manager roles, 66
Performance Management Architect roles, 65
roles, 63
Shared Services roles, 63
G
groups, 16creating , 37
delete, 40
deprovisioning, 48
manage Native Directory, 36
modify, 39
nested, 37
provisioning, 47
rename, 39
Hhierarchy
delegated administration, 23
Iimport provisioning data, 54
Import/Export utility (provisioning data), 54
Integrated Operational Planning roles, 83
A B C D E F G H I L M N O P R S T U V W
94 Index
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 95/96
LLDAP, 14
Mmanage
Native Directory, 31
Native Directory groups, 36Native Directory Roles, 41
users, 32
modify
aggregated roles, 42
application groups, 18
groups, 39
users, 33
modifying
delegated lists, 27
Nnaming guidelines
groups, 37
users, 32
Native Directory, 14
about, 31
activate deactivated accounts, 35
back up procedures, 43
create aggregated roles, 41
create users, 32
deactivate user accounts, 34default users and groups, 31
delete aggregated roles, 43
delete groups, 40
export, 54
groups, 36
manage roles, 41
modify groups, 39
modify user accounts, 33
update aggregated roles, 42
users, 32
nested groupsinheritance policy, 37
Oobject-level security, 21
PPerformance Scorecard
roles, 80
Planning
application roles, 74
planning delegated administration
delegation plan, 25
user accounts, 25
Planning roles
Administrator, 74
Essbase Write Access, 74
Interactive User, 75
Mass Allocation, 74
Planner, 75
Provisioning Manager, 74
View User, 75
pop-up blockers, 10, 87
predefined roles, 15
product-specific access, 21
Provider Services roles, 81
provisioning
delegated administrators, 25
exporting data, 54
groups, 16, 47
importing data, 54
overview, 14
users, 16
provisioning report, 51
Rrenaming
administrators, 33
application groups, 18
groups, 39
users, 33
Reporting and Analysis roles, 68
Job Manager, 68
reports
audit
artifact report, 52config report, 52
security report, 52
delegated reports, 29
provisioning, 51
roles
Account Reconciliation Management, 73
aggregated, 15, 41
A B C D E F G H I L M N O P R S T U V W
Index 95
8/9/2019 EPM System User Security Administration Guide 11.1.2.3
http://slidepdf.com/reader/full/epm-system-user-security-administration-guide-11123 96/96
assign to group, 47
Calculation Manager roles, 65
create aggregated, 41
Data Integration Management, 81
defined, 15
delete aggregated, 43
Profitability and Cost Management, 78
Disclosure Management, 72
FDMEE, 82
Essbase, 66
Essbase, 67
Essbase applications, 67
Essbase Server, 67
Essbase, 67
Essbase Studio, 67
Financial Close Manager, 72
FDM, 82
Financial Management Manager , 66
Financial Management, 70
Foundation Services roles, 63
global, 15
Integrated Operational Planning, 83
manage, 41
Performance Management Architect roles, 65
Performance Scorecard, 80
Planning applications, 74
predefined, 15
Provider Services, 81
remove assignment, 48Reporting and Analysis, 68
Shared Services roles, 63
Profitability and Cost Management, 76
Strategic Finance, 81
update aggregated, 42
S
Profitability and Cost Management
roles, 76
Strategic Finance roles, 81
T task tabs, 10
taskflowsabout, 55
creating, 57
Editing, 59
running, 60
scheduling, 60
viewing, 60
viewing status, 61
Uuser
authentication, 13
authentication components, 13
user accounts
for delegated administration, 25
user directory
defined, 14
user provisioning
copying to another application, 20
users, 16
activate inactive, 35
creating, 32deactivate accounts, 34
deleting, 35
manage in Native directory, 32
modifying, 33
naming guidelines, 32
renaming, 33
A B C D E F G H I L M N O P R S T U V W